CVE-2024-28929 Overview
CVE-2024-28929 is a remote code execution vulnerability in the Microsoft ODBC Driver for SQL Server. The flaw is categorized under [CWE-190] integer overflow or wraparound, which can lead to memory corruption when processing crafted server responses. Microsoft assigned this CVE a CVSS 3.1 score of 8.8 across the affected ODBC Driver, SQL Server 2019, SQL Server 2022, and Visual Studio 2019/2022 distributions that ship the driver.
Exploitation requires an authenticated user to connect a vulnerable ODBC client to an attacker-controlled SQL Server endpoint. A successful attack permits arbitrary code execution in the context of the connecting client process.
Critical Impact
Successful exploitation grants remote code execution on the client system connecting to a malicious SQL Server, with full impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft ODBC Driver for SQL Server (Windows, Linux, macOS)
- Microsoft SQL Server 2019 and SQL Server 2022 (x64)
- Microsoft Visual Studio 2019 and Visual Studio 2022
Discovery Timeline
- 2024-04-09 - CVE-2024-28929 published to NVD
- 2025-01-14 - Last updated in NVD database
Technical Details for CVE-2024-28929
Vulnerability Analysis
The vulnerability resides in how the Microsoft ODBC Driver for SQL Server parses data returned from a SQL Server during client-server communication. An integer overflow [CWE-190] occurs when length or size values supplied within a response are arithmetically combined without proper bounds checking. The resulting wrapped value is used to allocate or index a buffer, producing an undersized allocation followed by an out-of-bounds memory write.
Because the corruption originates in the client-side driver, the attacker controls SQL Server responses rather than the database server itself. The ODBC Driver runs in-process with any application that loads it, including SQL Server tooling, Visual Studio data connectors, and custom applications using the driver. Code execution therefore occurs at the privilege of the calling process.
Root Cause
The root cause is unchecked arithmetic on attacker-influenced size fields parsed from the Tabular Data Stream (TDS) protocol response. When the computed value wraps past INT_MAX or SIZE_MAX, subsequent memory operations operate on a buffer smaller than the data being copied.
Attack Vector
The attack vector is network-based with user interaction required. An attacker hosts a malicious SQL Server instance and induces a victim, through phishing, a malicious connection string, or a compromised configuration, to initiate an ODBC connection to it. The crafted server response triggers the integer overflow during TDS parsing.
No verified public proof-of-concept code is available for this vulnerability. Refer to the Microsoft Security Update CVE-2024-28929 advisory for vendor technical details.
Detection Methods for CVE-2024-28929
Indicators of Compromise
- Outbound TDS connections (TCP/1433 or custom SQL ports) from developer workstations or application servers to untrusted external IP addresses.
- Unexpected child processes spawned by sqlcmd.exe, devenv.exe, ssms.exe, or applications linked against msodbcsql*.dll.
- Crashes or memory access violations originating from msodbcsql17.dll or msodbcsql18.dll recorded in Windows Application event logs.
Detection Strategies
- Inventory hosts running vulnerable versions of msodbcsql17.dll and msodbcsql18.dll and correlate with SQL Server and Visual Studio installations.
- Alert on ODBC client connections to SQL Server endpoints outside approved network ranges or to newly registered domains.
- Monitor for shellcode-like behavior, including process hollowing, reflective loading, or LOLBin execution, originating from processes that have loaded the ODBC driver.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard or equivalent memory protection logging on systems with the ODBC driver installed.
- Forward TDS-layer firewall logs and Sysmon Event ID 3 (network connections) to a central data lake for correlation.
- Track patch deployment status of msodbcsql packages across Windows, Linux, and macOS endpoints.
How to Mitigate CVE-2024-28929
Immediate Actions Required
- Apply the Microsoft April 2024 security update for the ODBC Driver for SQL Server on all Windows, Linux, and macOS hosts.
- Update SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022 to the patched builds referenced in the MSRC advisory.
- Block outbound TCP/1433 and other SQL Server ports at the perimeter except to approved database hosts.
Patch Information
Microsoft addressed CVE-2024-28929 in the April 2024 Patch Tuesday release. Patched versions of the ODBC Driver, SQL Server, and Visual Studio are documented in the Microsoft Security Update CVE-2024-28929 advisory. Administrators should redeploy the updated driver package to every host that uses ODBC to connect to SQL Server.
Workarounds
- Restrict ODBC connections to a hardened allowlist of trusted SQL Server endpoints using host-based firewall rules.
- Require encrypted TDS connections with certificate validation (Encrypt=yes;TrustServerCertificate=no) to prevent connection redirection.
- Educate developers and analysts to validate connection strings before connecting to unfamiliar SQL Server instances.
# Linux: upgrade the Microsoft ODBC Driver 17/18 to the patched package
sudo ACCEPT_EULA=Y apt-get install --only-upgrade -y msodbcsql17 msodbcsql18
# Windows: verify installed driver version
powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\ODBC\ODBCINST.INI\ODBC Driver 18 for SQL Server' | Select-Object Driver, DriverODBCVer"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
