CVE-2024-28944: OLE DB Driver for SQL Server RCE Flaw

CVE-2024-28944 Overview

CVE-2024-28944 is a remote code execution vulnerability in the Microsoft OLE DB Driver for SQL Server. The flaw stems from a numeric conversion error [CWE-197] in how the driver processes data returned from a SQL Server connection. An attacker who controls or impersonates a malicious SQL Server can execute arbitrary code in the context of a client application that connects using the affected driver. Exploitation requires user interaction, typically convincing a victim to initiate a connection to the attacker-controlled server. The vulnerability affects the standalone OLE DB Driver as well as SQL Server 2019 and SQL Server 2022 installations on x64 platforms.

Critical Impact

Successful exploitation allows arbitrary code execution on the client system with the privileges of the connecting application, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

• Microsoft OLE DB Driver for SQL Server
• Microsoft SQL Server 2019 (x64)
• Microsoft SQL Server 2022 (x64)

Discovery Timeline

• 2024-04-09 - CVE-2024-28944 published to NVD as part of Microsoft's April 2024 Patch Tuesday
• 2025-01-15 - Last updated in NVD database

Technical Details for CVE-2024-28944

Vulnerability Analysis

The vulnerability resides in the client-side Microsoft OLE DB Driver for SQL Server, the component applications use to communicate with SQL Server instances over the Tabular Data Stream (TDS) protocol. The driver mishandles numeric type conversions on data received from the server. An attacker who induces a victim client to connect to a malicious server can send specially crafted TDS responses that trigger the conversion flaw and corrupt memory in the client process. The attack scope is unchanged, meaning code executes in the context of the calling application and its associated user account.

Root Cause

The root cause is a numeric truncation or improper conversion error [CWE-197] in the driver's response-parsing routines. When the driver translates server-supplied numeric fields into client-side data structures, insufficient validation of size or range fields allows attacker-controlled values to bypass safety checks. The resulting memory corruption provides a primitive that can be developed into remote code execution against any process linking against the vulnerable msoledbsql driver.

Attack Vector

Exploitation requires the victim to connect to an attacker-controlled SQL Server endpoint. This is commonly achieved through phishing links that launch database tools, malicious connection strings embedded in Office documents or scripts, or compromise of an internal connection target. Once the client initiates the TDS handshake, the malicious server returns crafted result sets that trigger the conversion flaw. No authentication on the client side is needed because the driver itself processes the malicious response before any business logic runs.

No verified public proof-of-concept code is available. Refer to the Microsoft Security Update Guide for CVE-2024-28944 for vendor technical details.

Detection Methods for CVE-2024-28944

Indicators of Compromise

• Outbound TDS connections (TCP/1433 or custom SQL ports) from workstations to untrusted external IP addresses.
• Unexpected child processes spawned by applications that load msoledbsql.dll, such as sqlcmd.exe, Excel, or custom line-of-business tools.
• Crashes or exception events in client processes referencing the OLE DB driver shortly after a database connection attempt.

Detection Strategies

• Inventory endpoints loading msoledbsql.dll and verify file versions match patched Microsoft releases.
• Hunt process telemetry for SQL client tools establishing connections to non-corporate destinations.
• Correlate user-initiated document opens with subsequent outbound database protocol traffic to surface social-engineering driven exploitation.

Monitoring Recommendations

• Alert on new outbound SQL Server connections crossing network perimeter or VPN boundaries.
• Monitor module load events for the OLE DB driver across endpoints to maintain an authoritative software inventory.
• Track Windows error reporting and application crash events tied to processes consuming the driver.

How to Mitigate CVE-2024-28944

Immediate Actions Required

• Apply the April 2024 Microsoft security updates for the OLE DB Driver for SQL Server and SQL Server 2019/2022 on all affected systems.
• Update standalone deployments of the OLE DB Driver (msoledbsql) on client workstations, application servers, and CI/CD agents.
• Block outbound SQL Server protocol traffic to untrusted destinations at the network perimeter.

Patch Information

Microsoft released fixed versions of the OLE DB Driver for SQL Server and updates to SQL Server 2019 and 2022 on April 9, 2024. Refer to the Microsoft Security Update Guide for CVE-2024-28944 for the specific build numbers and download packages corresponding to each affected product.

Workarounds

• Restrict client systems to connect only to known internal SQL Server endpoints using firewall egress policies.
• Enforce application allowlisting to prevent execution of untrusted SQL client tools that could be lured into malicious connections.
• Educate users about phishing payloads that embed connection strings in Office documents, .udl files, or scripts.

# Verify installed OLE DB Driver version on Windows endpoints
Get-WmiObject Win32_Product | Where-Object { $_.Name -like "*OLE DB Driver*for SQL Server*" } | Select-Object Name, Version

# Block outbound SQL Server traffic to non-corporate ranges (example)
New-NetFirewallRule -DisplayName "Block-Outbound-TDS-External" -Direction Outbound -Protocol TCP -RemotePort 1433 -RemoteAddress Internet -Action Block