CVE-2024-37333: Microsoft SQL Server 2016 RCE Vulnerability

CVE-2024-37333 Overview

CVE-2024-37333 is a remote code execution vulnerability in the Microsoft SQL Server Native Client OLE DB Provider. The flaw is rooted in a heap-based buffer overflow [CWE-122] that an attacker can trigger when a victim client connects to a malicious SQL Server. Successful exploitation allows arbitrary code execution in the context of the connecting user. Microsoft published the advisory on July 9, 2024, and the vulnerability affects SQL Server 2016, 2017, 2019, and 2022. The attack requires user interaction, typically convincing a user to initiate a connection to an attacker-controlled server.

Critical Impact

Attackers who lure a SQL client into connecting to a malicious server can execute arbitrary code on the client host, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

• Microsoft SQL Server 2016
• Microsoft SQL Server 2017
• Microsoft SQL Server 2019
• Microsoft SQL Server 2022

Discovery Timeline

• 2024-07-09 - CVE-2024-37333 published to NVD
• 2024-07-09 - Microsoft released security update via Microsoft Vulnerability Update CVE-2024-37333
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-37333

Vulnerability Analysis

The vulnerability resides in the SQL Server Native Client OLE DB Provider, the client-side component used by applications to connect to SQL Server instances. The component fails to validate the size of attacker-controlled data before copying it into a fixed-size heap buffer. This results in a heap-based buffer overflow classified as [CWE-122].

When exploited, the overflow corrupts adjacent heap structures, allowing an attacker to overwrite control data such as function pointers or object virtual tables. The attacker achieves arbitrary code execution in the user context of the OLE DB client process. The vulnerability impacts confidentiality, integrity, and availability on the client host. EPSS data places exploitation probability above the 88th percentile, indicating elevated attacker interest relative to most CVEs.

Root Cause

The root cause is improper bounds checking in the OLE DB Provider when parsing server-supplied protocol data. The provider trusts length fields or data structures returned by the SQL server endpoint and writes them into a heap buffer without verifying that the destination is large enough. This allows specially crafted server responses to corrupt heap memory.

Attack Vector

Exploitation requires an attacker to host a malicious SQL Server and convince a user with the vulnerable OLE DB client installed to connect to it. Common lures include phishing emails containing connection files, malicious links from line-of-business applications, or spoofed internal database hostnames. Once the client initiates the connection, the malicious server returns crafted protocol data that triggers the heap overflow during connection negotiation or query response processing.

No authentication to the attacker server is required. Because the vulnerable component executes within the client application, code runs with the privileges of the user who initiated the database connection. See the Microsoft Security Response Center advisory for protocol-level technical details.

Detection Methods for CVE-2024-37333

Indicators of Compromise

• Outbound TCP connections from workstations or application servers to SQL Server ports (default 1433) on untrusted external IP addresses.
• Crashes or unexpected restarts of processes that load msoledbsql.dll or sqlncli11.dll, often visible in Windows Application event logs.
• Child process creation by Office applications, browsers, or LOB tools immediately after opening a database connection file (.udl, .odc).

Detection Strategies

• Hunt for processes loading the SQL Server Native Client OLE DB Provider DLLs that subsequently spawn cmd.exe, powershell.exe, or rundll32.exe.
• Correlate SQL client connection events with new outbound network sessions to non-corporate IP ranges.
• Monitor for memory access violations and exception events tied to OLE DB modules across the fleet.

Monitoring Recommendations

• Enable Windows Defender Exploit Guard logging and forward exception events to a centralized log platform.
• Track installed versions of msoledbsql.dll and sqlncli*.dll across endpoints to identify unpatched hosts.
• Alert on user-initiated SQL connections to IP addresses outside the approved database server inventory.

How to Mitigate CVE-2024-37333

Immediate Actions Required

• Apply Microsoft's July 2024 security update for the affected SQL Server version per the Microsoft advisory for CVE-2024-37333.
• Update the standalone Microsoft OLE DB Driver for SQL Server (msoledbsql) on every client workstation and application server that connects to SQL Server.
• Inventory all hosts with SQL Server Native Client components installed, including legacy sqlncli versions deprecated by Microsoft.

Patch Information

Microsoft released cumulative updates addressing CVE-2024-37333 for SQL Server 2016, 2017, 2019, and 2022 on July 9, 2024. The fix is delivered through both the SQL Server cumulative update channel and the standalone Microsoft OLE DB Driver redistributable. Administrators must patch both the database server and any clients that ship the Native Client OLE DB Provider, since the vulnerable code executes on the client side.

Workarounds

• Restrict outbound TCP traffic on port 1433 and other SQL Server listener ports to an allowlist of known internal database servers.
• Block delivery of database connection file types (.udl, .odc, .dsn) through email gateways where business need does not exist.
• Remove the legacy SQL Server Native Client (sqlncli) from systems where it is no longer required, as it is deprecated by Microsoft.

# Inventory SQL Server Native Client OLE DB Provider on Windows hosts
Get-WmiObject -Class Win32_Product | \
  Where-Object { $_.Name -like "*SQL Server*Native Client*" -or \
                 $_.Name -like "*OLE DB Driver*SQL Server*" } | \
  Select-Object Name, Version, InstallDate