CVE-2024-43519 Overview
CVE-2024-43519 is a remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server. The flaw stems from a numeric truncation error [CWE-197] in the provider's handling of data returned from a SQL Server instance. An attacker who controls a malicious SQL Server can trigger code execution on a client that connects to it. Exploitation requires user interaction, such as a victim initiating a database connection from an affected Windows system. Microsoft addressed the issue in the October 2024 Patch Tuesday release.
Critical Impact
Successful exploitation allows an attacker-controlled SQL Server to execute arbitrary code on the connecting Windows client with the privileges of the database client process, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2) and Windows 11 (21H2, 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2
- Microsoft WDAC OLE DB provider for SQL Server (MSOLEDBSQL) shipped with the above Windows releases
Discovery Timeline
- 2024-10-08 - CVE-2024-43519 published to the National Vulnerability Database
- 2024-10-08 - Microsoft released security update guidance for CVE-2024-43519
- 2024-10-17 - Last updated in the NVD database
Technical Details for CVE-2024-43519
Vulnerability Analysis
The vulnerability resides in the WDAC OLE DB provider, the client-side component Windows applications use to communicate with Microsoft SQL Server. The provider performs a numeric truncation when processing server-supplied data structures. This truncation causes the provider to allocate or interpret a buffer smaller than the data subsequently written, leading to a memory corruption condition that can be steered toward remote code execution. The attacker does not need credentials on the victim system, but the victim must initiate or be coerced into initiating a connection to a hostile SQL Server endpoint.
The attack is network-reachable, requires low complexity, and needs no prior privileges on the target. The user interaction requirement is typically satisfied by opening a malicious .udl, .odc, Office document, or other artifact that triggers an OLE DB connection. With an EPSS probability of 7.097% (91.6 percentile), CVE-2024-43519 ranks among the more likely-to-be-exploited Microsoft client vulnerabilities from the October 2024 release.
Root Cause
The underlying defect is a numeric truncation error [CWE-197] inside the OLE DB provider's parsing logic. A larger integer value supplied by the server is narrowed to a smaller integer type used in subsequent allocation or length checks. The mismatch between the truncated size and the actual amount of data processed creates an out-of-bounds memory write that an attacker can shape into controlled code execution.
Attack Vector
An attacker hosts a malicious SQL Server instance and lures a victim into connecting to it. The malicious server returns a crafted response containing size fields engineered to trigger the truncation. When the WDAC OLE DB provider parses the response, the corrupted length leads to memory corruption inside the client process. Common delivery paths include phishing emails carrying Office documents with external data connections, malicious universal data link (.udl) files, or links that invoke applications relying on MSOLEDBSQL.
No public proof-of-concept code has been released for CVE-2024-43519, and Microsoft has not reported in-the-wild exploitation. See the Microsoft Security Update Guide for CVE-2024-43519 for vendor-supplied technical context.
Detection Methods for CVE-2024-43519
Indicators of Compromise
- Outbound TCP connections from end-user workstations to untrusted SQL Server endpoints on port 1433 or non-standard ports.
- Office applications (winword.exe, excel.exe) or rundll32.exe loading msoledbsql.dll and spawning child processes such as cmd.exe or powershell.exe.
- Creation or execution of .udl, .odc, or .iqy files from email attachments, browser downloads, or user temp directories.
Detection Strategies
- Hunt for processes that load msoledbsql.dll and subsequently exhibit unsigned module loads, shellcode-like memory regions, or unexpected network egress.
- Alert when client workstations initiate SQL Server connections to external IP ranges that fall outside known database infrastructure.
- Inspect endpoint telemetry for crashes or exceptions in processes loading the WDAC OLE DB provider, which can indicate failed exploitation attempts.
Monitoring Recommendations
- Inventory hosts that have msoledbsql.dll installed and correlate against patch-compliance data for the October 2024 cumulative updates.
- Forward Sysmon Event IDs 1, 3, 7, and 11 from workstations to a centralized SIEM and build queries pivoting on msoledbsql.dll image loads.
- Track Microsoft Defender SmartScreen, AMSI, and Office macro-execution events to identify the document delivery stage that typically precedes exploitation.
How to Mitigate CVE-2024-43519
Immediate Actions Required
- Apply the October 2024 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server systems without delay.
- Block outbound TCP/1433 and other SQL Server ports at the perimeter firewall for hosts that do not require external database connectivity.
- Disable handling of .udl, .odc, and .iqy file types in email gateways and remove their associations on user endpoints where feasible.
- Restrict execution of Office external data connections via Group Policy until patch deployment is verified.
Patch Information
Microsoft released fixes for CVE-2024-43519 as part of the October 8, 2024 Patch Tuesday cycle. Refer to the Microsoft Security Update Guide for CVE-2024-43519 for the KB article that matches each affected Windows version and install it through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Where patching is not immediately possible, prevent end-user workstations from connecting to untrusted SQL Server instances using host-based firewall rules.
- Enforce attack surface reduction (ASR) rules that block Office applications from creating child processes and from launching downloaded executable content.
- Use application control policies such as Windows Defender Application Control or AppLocker to prevent execution of unsigned binaries spawned from processes loading msoledbsql.dll.
# Example: block outbound SQL Server traffic on Windows endpoints until patching completes
New-NetFirewallRule -DisplayName "Block-Outbound-MSSQL-1433" `
-Direction Outbound `
-Action Block `
-Protocol TCP `
-RemotePort 1433 `
-Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
