CVE-2024-28930 Overview
CVE-2024-28930 is a remote code execution vulnerability in the Microsoft ODBC Driver for SQL Server. The flaw originates from an integer underflow condition [CWE-191] within the driver's data handling logic. An attacker who controls a malicious SQL Server endpoint can trick a vulnerable client into connecting and trigger code execution in the client process context.
The vulnerability requires user interaction, typically through a crafted database connection, but does not require authentication or elevated privileges on the target. Affected components extend beyond the standalone ODBC driver to bundled installations within SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022.
Critical Impact
A successful exploit allows an unauthenticated attacker controlling a rogue SQL Server to execute arbitrary code on any client connecting through the vulnerable ODBC driver, compromising confidentiality, integrity, and availability.
Affected Products
- Microsoft ODBC Driver for SQL Server (Windows, Linux, and macOS builds)
- Microsoft SQL Server 2019 and Microsoft SQL Server 2022 (x64)
- Microsoft Visual Studio 2019 and Microsoft Visual Studio 2022
Discovery Timeline
- 2024-04-09 - CVE-2024-28930 published to the National Vulnerability Database
- 2024-04-09 - Microsoft published the Microsoft CVE-2024-28930 Advisory
- 2025-01-14 - Last updated in NVD database
Technical Details for CVE-2024-28930
Vulnerability Analysis
The vulnerability is classified as an integer underflow [CWE-191] in the Microsoft ODBC Driver for SQL Server. Integer underflow occurs when an arithmetic operation produces a value below the minimum representable value for its data type, wrapping into a large unsigned value. When the driver uses such a corrupted value as a length or offset for memory operations, it can lead to out-of-bounds writes and memory corruption that an attacker can leverage for code execution.
Exploitation requires a victim client application to initiate a connection to an attacker-controlled SQL Server endpoint. Once the connection is established, malformed Tabular Data Stream (TDS) responses returned by the malicious server can drive the underflow path inside the client-side driver. Execution occurs in the security context of the process that loaded the ODBC driver, which often includes Visual Studio, SQL Server tools, and custom data-tier applications.
Root Cause
The root cause is improper validation of size or length fields received from a remote SQL Server before they are used in arithmetic that underlies buffer allocations or memory copies. A negative or unexpectedly small value wraps when interpreted as an unsigned integer, producing an oversized region that the driver then writes into.
Attack Vector
The attack vector is network-based with user interaction required: a user or application must initiate an ODBC connection to a malicious SQL Server. The attacker hosts a rogue TDS-speaking server, lures the client to connect using social engineering or DNS or hostname redirection, and returns crafted protocol responses that exercise the vulnerable code path. No prior credentials on the victim system are required.
No verified proof-of-concept code is publicly available for this issue. For protocol-level technical details, refer to the Microsoft CVE-2024-28930 Advisory.
Detection Methods for CVE-2024-28930
Indicators of Compromise
- Outbound TDS connections (TCP/1433 or custom SQL ports) from developer workstations or application servers to untrusted or newly observed external hosts.
- Crashes, exceptions, or unusual child processes originating from processes that load msodbcsql*.dll or the Linux/macOS equivalents.
- Unexpected loading of the ODBC driver inside Visual Studio (devenv.exe) or SQL Server tooling immediately followed by suspicious process creation.
Detection Strategies
- Inventory hosts running vulnerable versions of the Microsoft ODBC Driver for SQL Server, SQL Server 2019 and 2022, and Visual Studio 2019 and 2022 using software asset management or EDR telemetry.
- Hunt for process trees where ODBC-consuming applications spawn shells, scripting interpreters, or LOLBins shortly after establishing an outbound database connection.
- Alert on TDS sessions to non-corporate IP ranges, especially from engineering subnets that historically connect only to internal database servers.
Monitoring Recommendations
- Enforce egress filtering for SQL ports and log all allowed connections, baselining expected destinations.
- Capture and retain module-load events for msodbcsql libraries to support post-incident scoping.
- Monitor patch compliance for the ODBC driver across Windows, Linux, and macOS endpoints, since the vulnerability spans all three platforms.
How to Mitigate CVE-2024-28930
Immediate Actions Required
- Apply the Microsoft security updates referenced in the Microsoft CVE-2024-28930 Advisory to every system running a vulnerable ODBC driver version.
- Update SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022 installations, which bundle the affected driver components.
- Block outbound TDS traffic from user workstations to untrusted networks until patching is complete.
Patch Information
Microsoft has released fixed versions of the ODBC Driver for SQL Server for Windows, Linux, and macOS, along with corresponding updates for SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022. Refer to the Microsoft CVE-2024-28930 Advisory for the specific package versions and download links applicable to each platform.
Workarounds
- Restrict outbound database connections to a vetted allowlist of internal SQL Server hosts via firewall or host-based policy.
- Avoid connecting to untrusted or third-party SQL Server endpoints from systems that cannot yet be patched.
- Run development and database client tooling under least-privileged accounts to limit the impact of successful exploitation.
# Example: verify installed ODBC driver version on Linux
odbcinst -q -d -n "ODBC Driver 18 for SQL Server"
dpkg -l | grep msodbcsql
# Example: block outbound TDS to untrusted networks on Windows (PowerShell)
New-NetFirewallRule -DisplayName "Block outbound TDS to untrusted" `
-Direction Outbound -Protocol TCP -RemotePort 1433 `
-RemoteAddress Internet -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
