CVE-2024-37322: Microsoft SQL Server 2016 RCE Vulnerability

CVE-2024-37322 Overview

CVE-2024-37322 is a remote code execution vulnerability in the Microsoft SQL Server Native Client OLE DB Provider. The flaw affects SQL Server 2016, 2017, 2019, and 2022. Microsoft classifies it as a heap-based buffer overflow [CWE-122] reachable across the network when a user is induced to connect to a malicious SQL Server instance.

Exploitation requires user interaction but no prior authentication. A successful attack lets an adversary execute arbitrary code in the context of the client process, with high impact to confidentiality, integrity, and availability.

Critical Impact

An attacker who controls a malicious SQL Server endpoint can execute arbitrary code on any client system that connects through the Native Client OLE DB Provider, leading to full compromise of the client process.

Affected Products

• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server 2019
• Microsoft SQL Server 2022

Discovery Timeline

• 2024-07-09 - CVE-2024-37322 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-37322

Vulnerability Analysis

The vulnerability resides in the SQL Server Native Client OLE DB Provider, the client-side component that applications use to connect to SQL Server instances over the Tabular Data Stream (TDS) protocol. The provider mishandles server-supplied data during connection processing, producing a heap-based buffer overflow [CWE-122].

The attack model is client-side. An adversary stands up a malicious SQL Server instance and convinces a target to initiate an OLE DB connection. When the client parses crafted response data from the rogue server, the overflow corrupts heap memory and can divert execution to attacker-controlled code.

Because the Native Client OLE DB Provider is embedded in many legacy line-of-business applications, ETL pipelines, and reporting tools, a single user action such as opening a Data Source Name (DSN) or following a connection link can reach the vulnerable code path.

Root Cause

The root cause is improper validation of length or size fields in data returned by the SQL Server during the OLE DB connection handshake. Insufficient bounds checking before a memory copy operation lets attacker-controlled bytes write past the boundary of a heap allocation, corrupting adjacent objects and metadata.

Attack Vector

The attack vector is network-based but requires user interaction. The attacker must lure a user to connect their client application to a malicious SQL Server endpoint, for example through a phishing link, a poisoned shortcut file, a manipulated DSN, or a man-in-the-middle position on an existing connection.

No verified public proof-of-concept code is available for CVE-2024-37322. Refer to the Microsoft Security Update Guide for authoritative technical details.

Detection Methods for CVE-2024-37322

Indicators of Compromise

• Outbound TDS connections (typically TCP/1433 or dynamic ports) from workstations to untrusted or newly observed SQL Server hosts.
• Unexpected child processes spawned from applications hosting the OLE DB provider, such as excel.exe, msaccess.exe, or custom database clients.
• Crashes or anomalous heap exceptions in processes loading sqlncli11.dll or msoledbsql.dll.
• New or modified Data Source Names (DSNs) in the Windows registry under HKLM\SOFTWARE\ODBC\ODBC.INI pointing to external hosts.

Detection Strategies

• Inspect process telemetry for loads of the SQL Server Native Client OLE DB Provider libraries followed by suspicious code execution patterns such as memory allocation with RWX permissions or shellcode-like behavior.
• Correlate connection events to SQL Server endpoints with the originating process and the destination reputation to flag connections to attacker-controlled infrastructure.
• Hunt for office productivity or BI tools initiating SQL connections outside of established server inventories.

Monitoring Recommendations

• Enable network telemetry for TDS traffic and baseline legitimate SQL Server destinations per host and user.
• Log Windows Defender Application Control or AppLocker events that block or audit OLE DB provider loads from unusual parent processes.
• Forward endpoint, network, and identity telemetry to a centralized analytics platform to correlate user-interaction lures with subsequent SQL connections and process behavior.

How to Mitigate CVE-2024-37322

Immediate Actions Required

• Apply the July 2024 Microsoft security updates that address CVE-2024-37322 to all SQL Server 2016, 2017, 2019, and 2022 client installations.
• Inventory endpoints that ship the SQL Server Native Client (sqlncli11.dll) or the newer Microsoft OLE DB Driver (msoledbsql.dll) and prioritize patching of user-facing workstations.
• Restrict outbound TDS traffic to an allowlist of approved SQL Server endpoints at the firewall or zero-trust gateway.
• Train users to refuse unexpected prompts to connect to unfamiliar SQL Server hosts or to open .udl, .odc, or DSN files from untrusted sources.

Patch Information

Microsoft published the official fix in the Security Update Guide entry for CVE-2024-37322. Administrators should consult the advisory for the cumulative update or GDR package matching each SQL Server build and apply it through Windows Update, WSUS, or the Microsoft Update Catalog.

Workarounds

• Where patching is delayed, block egress to TCP/1433 and SQL Browser UDP/1434 to all destinations outside the trusted database subnet.
• Remove or disable the legacy SQL Server Native Client on hosts that do not require it and migrate applications to a patched OLE DB driver.
• Use application allowlisting to prevent untrusted processes from loading the OLE DB provider DLLs.

# Example: block outbound SQL Server traffic to untrusted networks on Windows clients
New-NetFirewallRule -DisplayName "Block Outbound TDS" -Direction Outbound `
  -Protocol TCP -RemotePort 1433 -RemoteAddress Any -Action Block

New-NetFirewallRule -DisplayName "Block SQL Browser" -Direction Outbound `
  -Protocol UDP -RemotePort 1434 -RemoteAddress Any -Action Block