CVE-2024-28943: Microsoft ODBC Driver RCE Vulnerability

CVE-2024-28943 Overview

CVE-2024-28943 is a remote code execution vulnerability affecting the Microsoft ODBC Driver for SQL Server and SQL Server 2019/2022 deployments. The flaw is classified under [CWE-122] (Heap-based Buffer Overflow), allowing attackers to corrupt heap memory through crafted network traffic processed by the ODBC client. Successful exploitation requires user interaction, such as connecting a vulnerable client to an attacker-controlled SQL Server instance. Microsoft published the advisory on April 9, 2024, as part of its monthly security update cycle.

Critical Impact

An attacker who convinces a user to connect a vulnerable ODBC client to a malicious database server can execute arbitrary code in the context of the application performing the connection.

Affected Products

• Microsoft ODBC Driver for SQL Server (Linux, macOS, Windows)
• Microsoft SQL Server 2019 (x64)
• Microsoft SQL Server 2022 (x64)

Discovery Timeline

• 2024-04-09 - CVE-2024-28943 assigned and Microsoft releases security patch
• 2024-04-09 - CVE-2024-28943 published to NVD
• 2025-01-16 - Last updated in NVD database

Technical Details for CVE-2024-28943

Vulnerability Analysis

The vulnerability is a heap-based buffer overflow ([CWE-122]) in the Microsoft ODBC Driver for SQL Server. The driver mishandles response data received from a SQL Server endpoint during a client session. When the driver parses a malformed server response, it writes past the bounds of an allocated heap buffer. This corruption can overwrite adjacent heap structures, function pointers, or object metadata used by the client process.

Exploitation requires the victim to initiate a connection to an attacker-controlled server. Because the ODBC driver runs in-process with the calling application, the resulting code execution occurs under the privileges of that application. Server-side SQL Server installations are affected when they leverage the bundled ODBC components for outbound or linked-server connections.

Root Cause

The root cause is improper validation of length or size fields contained in network responses from the server. The driver allocates a heap buffer based on assumed bounds, then copies attacker-controlled bytes into that buffer without enforcing the original size limits. This produces an out-of-bounds heap write that can be steered toward control-flow corruption.

Attack Vector

The attack vector is network-based with user interaction required. A typical exploitation path involves an attacker hosting a malicious SQL Server endpoint and inducing a user, application, or linked-server configuration to connect to it. Phishing, malicious connection strings, DNS hijacking of legitimate database hostnames, or compromise of an internal host are realistic delivery methods. Once the connection is established, the malicious server returns a crafted response that triggers the heap overflow during normal client-side parsing.

No public proof-of-concept or in-the-wild exploitation has been reported for this CVE. See the Microsoft Security Update Guide for vendor-specific technical details.

Detection Methods for CVE-2024-28943

Indicators of Compromise

• Unexpected outbound TCP connections from application or SQL Server hosts to untrusted destinations on port 1433 or alternate SQL listener ports.
• Application or sqlservr.exe process crashes with heap corruption exceptions (STATUS_HEAP_CORRUPTION, 0xC0000374) shortly after initiating a database connection.
• Child processes spawned from applications hosting the ODBC driver (msodbcsql*.dll) that do not match historical baselines.

Detection Strategies

• Inventory hosts loading msodbcsql17.dll or msodbcsql18.dll and correlate driver versions against the patched build referenced in the Microsoft advisory.
• Hunt for SQL client processes establishing outbound connections to non-approved database servers, especially internet-routable addresses.
• Alert on process crashes followed by anomalous child process creation, which can indicate post-exploitation activity after heap corruption.

Monitoring Recommendations

• Forward Windows Application and Sysmon logs to centralized analytics to surface ODBC driver faults and unusual module loads.
• Monitor egress firewall logs for SQL traffic crossing trust boundaries that should not communicate with external database servers.
• Track patch deployment status for ODBC Driver 17 and 18 across servers, workstations, and application platforms using SQL connectivity.

How to Mitigate CVE-2024-28943

Immediate Actions Required

• Apply the Microsoft security update for the ODBC Driver for SQL Server on every host that initiates SQL connections, including application servers and developer workstations.
• Patch SQL Server 2019 and SQL Server 2022 installations that ship affected ODBC components.
• Restrict outbound SQL traffic at the network perimeter so internal clients cannot reach untrusted database endpoints.

Patch Information

Microsoft released fixed builds of msodbcsql17 and msodbcsql18, along with SQL Server 2019 and 2022 cumulative updates that include the patched driver. Refer to the Microsoft Security Update Guide for the current minimum fixed versions and download locations for each supported platform (Windows, Linux, macOS).

Workarounds

• Block egress traffic on TCP 1433 and other SQL listener ports to all non-approved destinations until patching is complete.
• Require encrypted, certificate-validated connections (Encrypt=yes;TrustServerCertificate=no) to reduce the likelihood of connecting to an unintended endpoint.
• Audit linked-server and connection-string configurations for hostnames or IPs outside the trusted database inventory.

# Verify installed ODBC driver version on Linux
odbcinst -q -d -n "ODBC Driver 18 for SQL Server"
dpkg -l | grep msodbcsql18   # Debian/Ubuntu
rpm -qa | grep msodbcsql18   # RHEL/CentOS

# Windows: check installed driver version via PowerShell
Get-ItemProperty "HKLM:\SOFTWARE\ODBC\ODBCINST.INI\ODBC Driver 18 for SQL Server" | Select-Object Driver
(Get-Item "C:\Windows\System32\msodbcsql18.dll").VersionInfo.ProductVersion