CVE-2024-28935 Overview
CVE-2024-28935 is a remote code execution vulnerability in the Microsoft ODBC Driver for SQL Server. The flaw is tracked under CWE-122 (Heap-based Buffer Overflow) and affects deployments on Windows, Linux, and macOS. An attacker can trigger code execution in the context of a client process that connects to an attacker-controlled SQL Server endpoint. Successful exploitation requires user interaction, typically convincing a victim to initiate a database connection. The vulnerability impacts SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022 installations that ship the affected ODBC driver components.
Critical Impact
Remote attackers can execute arbitrary code on client systems by luring users to connect to a malicious SQL Server instance, compromising confidentiality, integrity, and availability.
Affected Products
- Microsoft ODBC Driver for SQL Server (Windows, Linux, macOS)
- Microsoft SQL Server 2019 and SQL Server 2022 (x64)
- Microsoft Visual Studio 2019 and Visual Studio 2022
Discovery Timeline
- 2024-04-09 - CVE-2024-28935 published to NVD
- 2025-01-14 - Last updated in NVD database
Technical Details for CVE-2024-28935
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow [CWE-122] in the Microsoft ODBC Driver for SQL Server. The driver mishandles data returned from a SQL Server during a client-initiated session. When the driver parses crafted server responses, an undersized heap allocation is overwritten, corrupting adjacent heap metadata and program data.
The attack requires the victim to connect a client application using the ODBC driver to a SQL Server instance controlled by the attacker. Tools that embed the driver, including SQL Server Management Studio components and Visual Studio data tooling, expand the attack surface beyond standalone database clients.
Exploitation grants code execution in the security context of the calling process. On developer workstations and ETL hosts, this often translates to access to source code, credentials, and onward database connections.
Root Cause
The root cause is improper validation of length or size fields in server-supplied protocol data before copying it into a fixed-size heap buffer inside the ODBC driver. The bounds check fails to constrain the copy operation, enabling overflow of the heap region.
Attack Vector
The attack vector is network-based with required user interaction. An attacker hosts a malicious SQL Server endpoint or performs an adversary-in-the-middle attack against a legitimate connection. When the targeted client connects, the malicious server returns crafted Tabular Data Stream (TDS) responses that trigger the overflow during driver-side parsing. Refer to the Microsoft Security Update CVE-2024-28935 advisory for the affected driver versions.
Detection Methods for CVE-2024-28935
Indicators of Compromise
- Outbound TDS connections (TCP/1433 or custom SQL Server ports) from developer workstations or application servers to untrusted external IP addresses.
- Unexpected child processes spawned by sqlservr.exe, ssms.exe, devenv.exe, or applications loading msodbcsql*.dll.
- Crashes or access violations in processes that have loaded the Microsoft ODBC Driver for SQL Server, recorded in Windows Error Reporting.
Detection Strategies
- Inventory hosts with vulnerable versions of msodbcsql17.dll, msodbcsql18.dll, or their Linux/macOS equivalents using software asset management telemetry.
- Hunt for processes loading the ODBC driver that subsequently initiate suspicious child processes, file writes to startup locations, or LSASS access.
- Alert on TDS protocol traffic to destinations outside the approved database server allowlist.
Monitoring Recommendations
- Forward EDR process, module-load, and network events to a centralized analytics platform and correlate ODBC driver loads with outbound 1433/TDS connections.
- Enable Windows Defender Exploit Guard or equivalent memory protection telemetry to surface heap corruption events in client applications.
- Monitor MSRC advisories and update the detection ruleset when new driver builds or related CVEs are published.
How to Mitigate CVE-2024-28935
Immediate Actions Required
- Apply the Microsoft ODBC Driver for SQL Server updates referenced in the Microsoft Security Update CVE-2024-28935 advisory to all Windows, Linux, and macOS clients.
- Update SQL Server 2019, SQL Server 2022, Visual Studio 2019, and Visual Studio 2022 installations that bundle the vulnerable driver.
- Restrict outbound TCP/1433 and other SQL Server ports at the egress firewall to approved database hosts only.
Patch Information
Microsoft published fixed driver versions through the Microsoft Security Update CVE-2024-28935 advisory. Administrators should deploy the updated msodbcsql packages on Windows via Microsoft Update or the standalone installer, and update Linux distributions through the Microsoft package repository (apt, yum, zypper). macOS clients should reinstall the driver via Homebrew using Microsoft's tap.
Workarounds
- Block ODBC client traffic to untrusted networks using host-based and perimeter firewall rules until patches are deployed.
- Enforce encrypted, certificate-validated connections to known SQL Server instances to reduce adversary-in-the-middle exposure.
- Educate developers and analysts not to connect database tooling to unverified SQL Server endpoints from email links or shared connection strings.
# Update the Microsoft ODBC Driver on Debian/Ubuntu after patch release
sudo apt-get update
sudo ACCEPT_EULA=Y apt-get install --only-upgrade msodbcsql18
odbcinst -j
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
