CVE-2024-28910 - Breaking Down the Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

On June 11, 2024, Microsoft published an advisory on a critical vulnerability, CVE-2024-28910, affecting the Microsoft OLE DB Driver for SQL Server. This vulnerability allows attackers to execute arbitrary code remotely, posing a significant risk to systems using this driver to connect applications with Microsoft SQL Server databases. In this article, we'll break down what CVE-2024-28910 is, how it can be exploited, and what you can do to protect your environment. We’ll also include relevant code snippets and resources for further reading.

What is CVE-2024-28910?

CVE-2024-28910 is a *Remote Code Execution (RCE)* vulnerability discovered in versions of the Microsoft OLE DB Driver for SQL Server before the June 2024 security update. The flaw arises from insufficient input validation when handling specially crafted connection parameters from a remote attacker.

Official Microsoft Advisory

- Microsoft Security Guidance: ADV240012 | OLE DB Driver for SQL Server RCE Vulnerability

How Does the Exploit Work?

The vulnerability exists because the OLE DB provider fails to properly sanitize certain input sent over the *network*. An attacker can craft a malicious connection string or package that, when processed by the OLE DB Driver, results in the execution of code supplied by the attacker.

Imagine you have an application that receives connection strings, perhaps from a configuration portal or remote source. If these aren’t strictly validated, an attacker could inject malicious segments that, when parsed, trigger unauthenticated code execution.

Suppose you have an application like this in C#, using the System.Data.OleDb namespace

using System.Data.OleDb;

public void ConnectToDatabase(string connectionString)
{
    OleDbConnection conn = new OleDbConnection(connectionString);
    conn.Open();
    // Execute queries
    conn.Close();
}

Exploit Scenario

If connectionString comes from an untrusted source and is not validated, an attacker could provide a string like:

Provider=MSOLEDBSQL;Data Source=server;Initial Catalog=database;User Id=attacker;Password=bad;Extended Properties="malicious_payload";

The Extended Properties is a common vector for exploitation (though actual exploit payload specifics are not public for responsible disclosure). If a crafted value leverages the underlying flaw, the attacker's payload would execute in the process context.

Proof-of-Concept (PoC)

Note: As of now, Microsoft and most security researchers have *not released public PoC code* due to potential abuse. However, penetration testers describe a scenario using custom SQL Server connection strings to trigger the bug.

Example PoC Structure (Pseudocode)

import pyodbc

malicious_conn_str = r"Driver={Microsoft OLE DB Driver for SQL Server};Server=TARGET_HOST;UID=user;PWD=pass;Extended Properties='MALICIOUS_CODE';"

conn = pyodbc.connect(malicious_conn_str)
cursor = conn.cursor()
cursor.execute("SELECT 1")

Disclaimer: This is a hypothetical example. Do NOT try to exploit systems without permission.

How To Defend Yourself

1. Update Immediately: Microsoft has released a patched version of the OLE DB Driver for SQL Server. Download and install updates from:
- Microsoft Download Center - OLE DB Driver for SQL Server

Apply Least Privilege: Run applications using minimal permissions.

3. Keep Connection Strings Internal: Never accept or use connection strings from user input or untrusted sources.

Network Segmentation: Restrict your SQL Server and app servers to necessary communications only.

5. Monitor For Exploitation: Check logs for unusual connection strings or errors, especially with Extended Properties.

Further Reading

- Microsoft Security Advisory for CVE-2024-28910
- MS OLE DB Driver for SQL Server Documentation
- SQL Injection Attacks and How to Prevent Them

Conclusion

CVE-2024-28910 is a critical vulnerability that lets a remote attacker run any code they want on vulnerable systems that use Microsoft OLE DB Driver for SQL Server. If you use this driver, patch NOW and check your application logic to make sure untrusted input never gets passed to your database connection layer.

Secure environments are layered, so keep up-to-date, monitor your infrastructure, and always validate input. If you want in-depth help, consult your infosec team or a qualified security professional.

Timeline

Published on: 04/09/2024 17:15:50 UTC
Last modified on: 04/10/2024 13:24:00 UTC