CVE-2024-43462 Overview
CVE-2024-43462 is a remote code execution vulnerability affecting the Microsoft SQL Server Native Client. The flaw resides in how the client component processes data from a malicious SQL Server, enabling an attacker to execute arbitrary code on the system running the client. Exploitation requires user interaction, typically convincing an authenticated user to connect to an attacker-controlled SQL Server instance. Microsoft has classified this issue under [CWE-122] (Heap-based Buffer Overflow). The vulnerability impacts SQL Server 2016, 2017, and 2019 deployments on x64 platforms.
Critical Impact
Successful exploitation grants attackers full code execution in the context of the user running the SQL Server client, leading to confidentiality, integrity, and availability compromise.
Affected Products
- Microsoft SQL Server 2016 (x64)
- Microsoft SQL Server 2017 (x64)
- Microsoft SQL Server 2019 (x64)
Discovery Timeline
- 2024-11-12 - CVE-2024-43462 published to NVD
- 2024-11-12 - Microsoft releases security update via the November 2024 Patch Tuesday
- 2024-11-19 - Last updated in NVD database
Technical Details for CVE-2024-43462
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow [CWE-122] in the SQL Server Native Client. The Native Client is the OLE DB and ODBC component used by applications to communicate with SQL Server instances over the Tabular Data Stream (TDS) protocol. An attacker who controls a SQL Server endpoint can craft malformed response packets that overflow a heap allocation in the client parser. The overflow corrupts adjacent heap structures, enabling arbitrary code execution in the process that initiated the connection.
Exploitation is network-based but requires user interaction. A user must initiate a connection to the attacker-controlled SQL Server, typically through phishing links pointing at a UDL file, an ODBC data source, or an application coerced into connecting outbound. No prior authentication on the target system is required for the attacker.
Root Cause
The root cause is improper validation of length and size fields within server-to-client TDS responses. When the Native Client allocates a buffer based on one field but copies data based on another untrusted field, the resulting heap write exceeds the allocated boundary. Microsoft has not publicly disclosed the specific structure or function involved.
Attack Vector
The attack vector is network-based with user interaction. Attackers stand up a malicious SQL Server listening on TCP 1433 or a custom port, then induce victims to connect using a crafted connection string, a poisoned ODBC DSN, or a malicious .udl file delivered through email or compromised file shares. Once the client completes the TDS handshake, the server returns weaponized response packets that trigger the heap overflow.
No verified proof-of-concept code is publicly available for this vulnerability. Refer to the Microsoft Security Update Guidance for vendor-supplied technical details.
Detection Methods for CVE-2024-43462
Indicators of Compromise
- Outbound TCP connections from workstations or application servers to untrusted external hosts on port 1433 or other SQL listener ports.
- Unexpected child processes spawned by sqlcmd.exe, Microsoft.Data.SqlClient-hosted applications, or processes loading sqlncli11.dll.
- Crash dumps or Windows Error Reporting entries citing heap corruption inside sqlncli11.dll or related Native Client modules.
- New or modified .udl files and ODBC DSN registry entries pointing to external IP addresses.
Detection Strategies
- Monitor process creation events where SQL client utilities or applications loading the Native Client subsequently spawn shells, scripting engines, or LOLBins.
- Inspect EDR telemetry for memory allocation anomalies and access violations within sqlncli11.dll.
- Hunt for connection strings or DSNs referencing public IP space, which is atypical for enterprise database traffic.
Monitoring Recommendations
- Alert on egress SQL traffic (TCP 1433, 1434, 4022) leaving the corporate perimeter from non-database hosts.
- Audit installed versions of sqlncli11.dll across the estate to confirm patch coverage.
- Track creation of ODBC system DSNs under HKLM\SOFTWARE\ODBC\ODBC.INI for unauthorized changes.
How to Mitigate CVE-2024-43462
Immediate Actions Required
- Apply the November 2024 Microsoft security updates for SQL Server 2016, 2017, and 2019 immediately.
- Inventory all systems with the SQL Server Native Client installed, including application servers, developer workstations, and reporting hosts.
- Block outbound SQL Server protocol traffic at the perimeter firewall except to sanctioned database hosts.
- Educate users to avoid opening unsolicited .udl, .odc, or connection-link files received over email or chat.
Patch Information
Microsoft released cumulative updates addressing CVE-2024-43462 on November 12, 2024. Administrators should consult the Microsoft Security Update Guidance for the specific KB articles applicable to each SQL Server build. The Native Client is shipped as a separate redistributable in some deployments and must be updated independently from the database engine.
Workarounds
- Restrict outbound connections on TCP 1433 and other SQL listener ports to known internal database servers using host-based and network firewalls.
- Remove the SQL Server Native Client from systems that do not require it; modern applications should migrate to the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).
- Enforce application allowlisting to prevent execution of code spawned from compromised client processes.
# Example: block outbound SQL Server traffic from a Windows endpoint using netsh
netsh advfirewall firewall add rule name="Block Outbound SQL TDS" ^
dir=out action=block protocol=TCP remoteport=1433,1434,4022 ^
profile=any enable=yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
