CVE-2024-43474 Overview
CVE-2024-43474 is an information disclosure vulnerability affecting Microsoft SQL Server 2017 and Microsoft SQL Server 2019. The flaw allows an unauthenticated remote attacker to retrieve sensitive information from a vulnerable SQL Server instance over the network. The weakness is tracked under [CWE-170: Improper Null Termination], which indicates that improper string termination can expose adjacent memory contents to the attacker.
The vulnerability requires no privileges and no user interaction. Microsoft published the advisory on September 10, 2024 as part of its monthly security update cycle.
Critical Impact
An unauthenticated network attacker can disclose confidential data from Microsoft SQL Server 2017 and 2019 instances, exposing database contents and adjacent process memory.
Affected Products
- Microsoft SQL Server 2017 (x64)
- Microsoft SQL Server 2019 (x64)
- Editions exposed through standard SQL Server network endpoints (TCP/1433 and named instance listeners)
Discovery Timeline
- 2024-09-10 - Microsoft publishes the security advisory for CVE-2024-43474
- 2024-09-10 - CVE-2024-43474 published to the National Vulnerability Database (NVD)
- 2025-01-07 - Last updated in the NVD database
Technical Details for CVE-2024-43474
Vulnerability Analysis
The vulnerability is an information disclosure issue in the Microsoft SQL Server database engine. The CWE classification [CWE-170] points to an improper null-termination condition in string handling code paths used by the server. When the affected code path constructs or returns strings to a client, the missing or malformed null terminator can cause the server to return more bytes than intended.
The extra bytes can include residual contents of server process memory. That memory may contain query data, authentication material, cached query plans, or other tenants' data in shared instances. The vulnerability is reachable over the network through normal SQL Server protocol traffic and does not require authentication.
The issue impacts confidentiality only. Integrity and availability are not affected, according to the published CVSS vector.
Root Cause
The root cause is improper null termination during string processing inside the SQL Server engine. The code returns a buffer whose declared length exceeds the populated content, leaking adjacent memory. This is a classic memory-disclosure pattern in native C and C++ database engines that handle variable-length character data.
Attack Vector
An attacker reaches the vulnerable code path by sending crafted queries or protocol messages to a SQL Server listener exposed on the network. Successful exploitation returns response data that contains uninitialized or out-of-bounds bytes from the server process. The attacker can repeat the request to harvest additional memory fragments and reconstruct sensitive content.
No public proof-of-concept exploit is currently listed for this CVE, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities list. The EPSS model places this CVE in the 91st percentile, indicating relatively elevated likelihood of exploit activity compared to the broader CVE population.
Technical details of the vulnerable code path are not published by Microsoft. Refer to the Microsoft Security Update for CVE-2024-43474 for vendor guidance.
Detection Methods for CVE-2024-43474
Indicators of Compromise
- Unexpected TDS (Tabular Data Stream) responses containing high-entropy or non-printable bytes returned to client applications
- Repeated identical or near-identical queries from a single source against sqlservr.exe that return abnormally large result payloads
- Outbound connections from database hosts to unfamiliar destinations following anomalous query bursts
- SQL Server error log entries showing malformed protocol packets or string conversion anomalies
Detection Strategies
- Inspect SQL Server audit logs and Extended Events sessions for unusual query patterns targeting string-handling functions or system stored procedures.
- Correlate authentication telemetry with query volume to identify unauthenticated or low-privilege sessions issuing large numbers of read requests.
- Hunt for TDS responses whose colmetadata declared length differs significantly from typical client workload patterns.
- Cross-reference patch level reported by SELECT @@VERSION against the fixed builds listed in the Microsoft advisory.
Monitoring Recommendations
- Enable SQL Server Audit and forward events to a central log platform for retention and correlation.
- Monitor network flows to TCP/1433 and named-instance ports for traffic from unexpected source ranges.
- Track sqlservr.exe process memory and crash dump generation as a secondary signal for exploitation attempts.
- Alert on direct exposure of SQL Server instances to untrusted networks discovered through periodic external scanning.
How to Mitigate CVE-2024-43474
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update for CVE-2024-43474 to all SQL Server 2017 and SQL Server 2019 instances.
- Inventory every SQL Server host in the environment, including development, test, and embedded application instances, and confirm patch state.
- Restrict network access to SQL Server listeners so that only required application servers can reach TCP/1433 and dynamic instance ports.
- Rotate credentials and secrets that may have been resident in SQL Server process memory if exploitation is suspected.
Patch Information
Microsoft released cumulative updates for SQL Server 2017 and SQL Server 2019 that remediate this vulnerability. Refer to the vendor advisory at Microsoft Security Update for CVE-2024-43474 for the specific build numbers and download links applicable to each branch and servicing model.
Workarounds
- Block inbound access to SQL Server ports at the perimeter and host firewall when patching cannot be completed immediately.
- Require all database connections to traverse an authenticated application tier or a database firewall that inspects TDS traffic.
- Disable unused SQL Server features and protocols, including remote admin connections and unnecessary network libraries.
- Enforce least-privilege accounts for application connectivity so that disclosed data remains scoped to a minimal attack surface.
# Configuration example: restrict SQL Server listener to specific application subnet using Windows Firewall
netsh advfirewall firewall add rule name="SQL Server 1433 - App Tier Only" \
dir=in action=allow protocol=TCP localport=1433 \
remoteip=10.20.30.0/24 profile=domain
# Verify current patch level on a SQL Server instance
sqlcmd -S <server> -E -Q "SELECT SERVERPROPERTY('ProductVersion') AS Version, SERVERPROPERTY('ProductLevel') AS Level"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
