CVE-2024-37328 Overview
CVE-2024-37328 is a remote code execution vulnerability in the Microsoft SQL Server Native Client OLE DB Provider. The flaw resides in the data access component used by clients to connect to SQL Server instances. An attacker who convinces a user to connect to a malicious SQL Server instance can trigger memory corruption and execute arbitrary code in the context of the client process. The vulnerability is tracked as a heap-based buffer overflow [CWE-122] and affects SQL Server 2016, 2017, 2019, and 2022. Microsoft addressed the issue in the July 2024 security update cycle.
Critical Impact
Successful exploitation grants remote code execution in the context of the client process, enabling full compromise of the connecting workstation.
Affected Products
- Microsoft SQL Server 2016
- Microsoft SQL Server 2017
- Microsoft SQL Server 2019
- Microsoft SQL Server 2022
Discovery Timeline
- 2024-07-09 - CVE-2024-37328 published to NVD
- 2024-07-09 - Microsoft releases security update via MSRC advisory
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-37328
Vulnerability Analysis
The vulnerability exists in the SQL Server Native Client OLE DB Provider (sqlncli), which client applications use to communicate with SQL Server over the Tabular Data Stream (TDS) protocol. The provider mishandles attacker-controlled response data returned by a malicious SQL Server. This mishandling produces a heap-based buffer overflow [CWE-122] within the client process. Exploitation requires user interaction: the victim must initiate a connection to an attacker-controlled server. Once triggered, the overflow allows the attacker to corrupt heap structures and redirect execution. The result is arbitrary code execution at the privilege level of the application invoking the OLE DB provider.
Root Cause
The defect stems from improper validation of length or boundary fields within structured TDS response messages parsed by the Native Client. When the provider processes a crafted server response, it writes past the allocated heap buffer. This violates memory safety guarantees and corrupts adjacent heap metadata or function pointers.
Attack Vector
The attack vector is network-based with required user interaction. An attacker hosts a malicious SQL Server endpoint and lures a victim into connecting using any application that loads the vulnerable OLE DB provider. Common delivery methods include phishing emails containing Office documents with embedded data connections, malicious .udl files, or crafted ODC files that point to the attacker's server. No prior authentication to the victim's environment is required, and the attacker controls the malicious server response in full.
No verified public proof-of-concept code is available. See the Microsoft Security Update Guide for vendor technical details.
Detection Methods for CVE-2024-37328
Indicators of Compromise
- Outbound TDS connections (TCP/1433 or custom SQL ports) from endpoints to untrusted external IP addresses or domains.
- Unexpected child processes spawned by Microsoft Office applications, excel.exe, or other clients that load sqlncli11.dll.
- Crash events or Windows Error Reporting entries referencing sqlncli11.dll or msoledbsql.dll with access violation exceptions.
- Delivery of .udl, .odc, or Office documents containing external data connections to unfamiliar SQL Server endpoints.
Detection Strategies
- Monitor process telemetry for client applications loading the Native Client DLL followed by network egress to non-corporate SQL Server hosts.
- Hunt for anomalous parent-child relationships where Office or browser processes invoke command interpreters such as cmd.exe or powershell.exe after a database connection event.
- Inspect email gateways for attachments containing OLE DB connection strings referencing external hosts.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard and audit Image Load events for sqlncli11.dll and msoledbsql.dll across the fleet.
- Forward endpoint, network, and email telemetry to a centralized analytics platform to correlate connection attempts with downstream process activity.
- Alert on Windows Error Reporting telemetry indicating heap corruption in database client modules.
How to Mitigate CVE-2024-37328
Immediate Actions Required
- Apply the July 2024 Microsoft security updates referenced in the MSRC advisory for CVE-2024-37328 to all SQL Server 2016, 2017, 2019, and 2022 client and server installations.
- Inventory endpoints that have the SQL Server Native Client installed and prioritize patching for workstations used by analysts, developers, and database administrators.
- Block outbound TCP/1433 and other SQL Server ports at the perimeter firewall except to approved internal database servers.
Patch Information
Microsoft published cumulative security updates for SQL Server 2016 SP3, SQL Server 2017, SQL Server 2019, and SQL Server 2022 on July 9, 2024. Administrators should consult the Microsoft Security Update Guide for the specific build numbers and download links applicable to each supported version and servicing branch.
Workarounds
- Restrict execution of the SQL Server Native Client OLE DB Provider through application control policies on endpoints that do not require database connectivity.
- Train users to refuse opening .udl, .odc, and Office documents containing data connections from untrusted sources.
- Where feasible, migrate applications to the latest Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL) supported version with the corresponding patches applied.
# Verify SQL Server Native Client version on Windows endpoints
reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Native Client 11.0\CurrentVersion" /v Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
