CVE-2024-29045 Overview
CVE-2024-29045 is a remote code execution vulnerability in the Microsoft OLE DB Driver for SQL Server. The flaw is classified under [CWE-121] as a stack-based buffer overflow. An attacker can trigger the vulnerability when a victim connects a vulnerable client driver to a malicious SQL Server instance. Successful exploitation allows arbitrary code execution in the context of the connecting application.
The vulnerability affects the OLE DB Driver shipped with SQL Server 2019 and SQL Server 2022 on x64 platforms. Microsoft published the advisory on April 9, 2024 as part of its monthly security update cycle.
Critical Impact
Remote code execution with high confidentiality, integrity, and availability impact when a vulnerable client connects to an attacker-controlled SQL Server.
Affected Products
- Microsoft OLE DB Driver for SQL Server
- Microsoft SQL Server 2019 (x64)
- Microsoft SQL Server 2022 (x64)
Discovery Timeline
- 2024-04-09 - CVE-2024-29045 assigned and published to NVD
- 2024-04-09 - Microsoft released security patch through the April 2024 Patch Tuesday update
- 2025-01-15 - Last updated in NVD database
Technical Details for CVE-2024-29045
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow in the Microsoft OLE DB Driver for SQL Server. The defect is tracked as [CWE-121]. Exploitation requires user interaction, meaning a client application must initiate a connection to an attacker-controlled SQL Server endpoint. The high attack complexity reflects the need to lure a victim into connecting to a malicious server and to align memory state for reliable exploitation.
The EPSS probability is 1.69% with a percentile near 82.5, indicating moderate scanner and research interest relative to other published CVEs. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing.
Root Cause
The root cause is improper bounds validation on data returned from a SQL Server during connection or query processing inside the OLE DB client driver. When the driver copies attacker-controlled server response data into a fixed-size stack buffer, the absence of sufficient length checks allows adjacent stack memory to be overwritten. Overwriting saved return addresses or structured exception handlers can redirect execution into attacker-supplied content.
Attack Vector
An attacker hosts a malicious SQL Server endpoint and induces a victim application to connect through the OLE DB Driver. Common scenarios include phishing links that launch database tools, web applications configured with attacker-controlled connection strings, or compromised internal services performing outbound database calls. Once the vulnerable client parses the malformed server response, code executes in the security context of the client process.
See the Microsoft Security Advisory for CVE-2024-29045 for vendor technical details.
Detection Methods for CVE-2024-29045
Indicators of Compromise
- Outbound TCP connections from application or developer hosts to unexpected SQL Server endpoints on port 1433 or non-standard ports.
- Unexpected child processes spawned by applications that load msoledbsql.dll or sqlncli.dll.
- Crashes in processes hosting the OLE DB Driver with stack corruption signatures in Windows Error Reporting.
Detection Strategies
- Inventory hosts loading msoledbsql.dll and correlate driver file versions against patched releases.
- Alert on processes loading the OLE DB Driver that subsequently spawn cmd.exe, powershell.exe, or other living-off-the-land binaries.
- Inspect network telemetry for SQL Server connections that bypass approved internal database hosts and resolve to external or untrusted IP ranges.
Monitoring Recommendations
- Enable PowerShell and process command-line logging on developer workstations and application servers that use OLE DB.
- Monitor for module load events for msoledbsql.dll followed by suspicious memory allocation or thread creation patterns.
- Track Windows Error Reporting events referencing OLE DB modules to surface attempted exploitation that results in crashes.
How to Mitigate CVE-2024-29045
Immediate Actions Required
- Apply the April 2024 Microsoft security update for the OLE DB Driver for SQL Server on all affected systems.
- Update the standalone Microsoft OLE DB Driver (msoledbsql) on any host that connects to SQL Server, including application servers, ETL hosts, and developer endpoints.
- Restrict outbound SQL Server traffic to an allowlist of approved internal database hosts.
Patch Information
Microsoft addressed CVE-2024-29045 through the April 9, 2024 security release. Fixed driver versions and SQL Server cumulative updates are listed in the Microsoft Security Update Guide. Administrators should validate the installed version of msoledbsql.dll matches or exceeds the patched build referenced in the advisory.
Workarounds
- Block egress to untrusted SQL Server endpoints at the perimeter and host-based firewalls until patching is complete.
- Avoid opening database connections from untrusted or user-supplied connection strings in client applications.
- Use least-privilege service accounts for processes that initiate OLE DB connections to limit blast radius if exploitation occurs.
# Verify installed OLE DB Driver version on Windows
powershell -Command "Get-Item 'C:\Program Files\Common Files\System\Ole DB\msoledbsql.dll' | Select-Object VersionInfo"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
