CVE-2024-37332: SQL Server 2016 RCE Vulnerability

CVE-2024-37332 Overview

CVE-2024-37332 is a remote code execution vulnerability in the Microsoft SQL Server Native Client OLE DB Provider. The flaw affects all currently supported SQL Server releases from 2016 through 2022. Microsoft published the advisory on July 9, 2024 as part of its monthly security update cycle.

Exploitation requires user interaction, where a victim connects to or queries an attacker-controlled SQL Server instance. A successful attack lets the adversary execute arbitrary code in the context of the client process. The Common Weakness Enumeration classification is [CWE-122] Heap-based Buffer Overflow.

Critical Impact

Network-reachable attackers can achieve remote code execution on client systems that connect to a malicious SQL Server, leading to full confidentiality, integrity, and availability compromise.

Affected Products

• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server 2019
• Microsoft SQL Server 2022

Discovery Timeline

• 2024-07-09 - CVE-2024-37332 published to NVD and Microsoft released a security patch
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-37332

Vulnerability Analysis

The vulnerability resides in the SQL Server Native Client OLE DB Provider (SQLNCLI / MSOLEDBSQL). This component handles data exchange between client applications and SQL Server backends using Tabular Data Stream (TDS) messages. An attacker who controls a SQL Server endpoint can craft malformed server responses that trigger a heap-based buffer overflow inside the client provider.

When the provider parses the attacker-controlled response, it writes past the bounds of a heap allocation. The overflow corrupts adjacent heap metadata and structures used by the calling process. Attackers can leverage this corruption to hijack execution flow and run arbitrary code in the process context that initiated the connection.

Because the OLE DB provider is widely embedded in SQL Server tooling, Integration Services packages, linked server queries, and third-party applications, exposure extends beyond database administrators to any system that issues outbound SQL connections.

Root Cause

The root cause is improper bounds validation when the OLE DB provider deserializes server-supplied data structures. The component trusts size and length fields received from the server without enforcing safe limits before copying data into a fixed heap buffer. See the Microsoft CVE-2024-37332 Update Guide for vendor technical details.

Attack Vector

The attack vector is network-based but requires user interaction. An attacker must convince an authenticated user, application, or administrator to initiate a connection to a SQL Server instance under attacker control. Common delivery paths include malicious linked servers, crafted ODBC data sources, phishing emails containing .udl or .odc files, and compromised internal SQL endpoints used for lateral movement.

Detection Methods for CVE-2024-37332

Indicators of Compromise

• Outbound TDS connections from workstations or application servers to untrusted external IP addresses on TCP/1433 or non-standard SQL ports.
• Unexpected crashes of processes that load msoledbsql.dll or sqlncli11.dll, including ssms.exe, dtexec.exe, and Office applications.
• Creation of new linked server definitions pointing to external hosts within sys.servers.
• Child processes spawned from SQL client tooling, such as cmd.exe or powershell.exe launched by ssms.exe.

Detection Strategies

• Monitor process integrity for binaries loading the OLE DB provider DLLs and alert on anomalous module loads or access violations.
• Inspect network telemetry for SQL Server connections crossing trust boundaries, especially egress to internet hosts.
• Audit Windows Event Log entries for application crashes referencing msoledbsql.dll faulting modules.

Monitoring Recommendations

• Track installed versions of MSOLEDBSQL and SQL Server Native Client across the fleet and flag systems running unpatched builds.
• Alert on new or modified linked server entries and ODBC Data Source Name (DSN) configurations.
• Correlate SQL client process execution with subsequent script interpreter or LOLBin activity for post-exploitation indicators.

How to Mitigate CVE-2024-37332

Immediate Actions Required

• Apply the July 2024 Microsoft security updates for all SQL Server 2016, 2017, 2019, and 2022 instances and clients.
• Update standalone deployments of the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL) on application servers and developer workstations.
• Inventory systems that initiate outbound SQL connections and prioritize patching for those crossing trust boundaries.
• Restrict SQL Server traffic at network boundaries so clients cannot reach untrusted external database endpoints.

Patch Information

Microsoft addressed CVE-2024-37332 in the July 9, 2024 cumulative updates for supported SQL Server versions. Patch identifiers and download links are available in the Microsoft CVE-2024-37332 Update Guide. Administrators should also update standalone OLE DB driver redistributables on client systems that do not run SQL Server but use the provider.

Workarounds

• Block outbound TCP/1433 and other SQL listener ports at the perimeter firewall to prevent connections to attacker-controlled servers.
• Remove or disable unused linked server definitions and untrusted ODBC DSNs.
• Enforce application allowlisting to prevent SQL client tools from launching script interpreters or other unexpected child processes.

# Verify installed MSOLEDBSQL version on Windows
reg query "HKLM\SOFTWARE\Microsoft\MSOLEDBSQL" /v InstalledVersion

# List configured linked servers via sqlcmd
sqlcmd -S localhost -Q "SELECT name, product, provider, data_source FROM sys.servers;"