CVE CyberSecurity Database News

CVE-2024-28913 - Inside Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability

Poster -

In March 2024, Microsoft patched a critical vulnerability in its OLE DB Driver for SQL Server (MSOLEDBSQL) identified as CVE-2024-28913. This flaw could allow a remote attacker to execute arbitrary code, opening doors to full system compromise. If you run SQL Server applications relying on OLE DB, you need to understand this bug and patch now. Let’s break it down using plain language, exclusive technical details, code snippets, and links to trusted sources.

Component: Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL)

- Affected Versions: 18.6.7 or earlier (see official advisory)
- Attack Vector: Network (remotely exploitable, no authentication required under certain conditions)

CVSS Score: 8.1 (High)

OLE DB is a data access interface in Windows that allows apps to connect to various databases, including Microsoft SQL Server.

How Does the Vulnerability Work?

Put simply, the vulnerability lies in the way the OLE DB driver handles specially crafted network responses while connecting users/apps to SQL Server databases. Malicious responses can corrupt memory due to inadequate boundary checks, which an attacker can exploit to run code in the context of the connecting application.

A vulnerable version of the OLE DB driver must be installed on the victim’s system.

- The victim app must connect to an attacker-controlled SQL Server (directly or via a poisoned network, like Man-In-The-Middle).

Here’s a real-world scenario

1. The attacker sets up a malicious SQL Server instance or rigs a network to alter traffic between your app and the genuine SQL Server.

Example Exploit Code Snippet

WARNING: The following is a proof-of-concept in simplified pseudo-code. It illustrates how a crafted SQL server could send a malicious payload to exploit CVE-2024-28913.

# Attacker-controlled SQL Server sending malicious response
import socket

def serve_malicious_sql():
    s = socket.socket()
    s.bind(('...', 1433))  # standard SQL Server port
    s.listen(1)
    print('Malicious SQL Server running...')
    conn, addr = s.accept()
    print(f'Received connection from {addr}')
    # Send valid TDS handshake first, then malicious payload
    valid_handshake = build_tds_handshake()
    conn.sendall(valid_handshake)
    malicious_payload = b'\x10\x20...'  # Crafted payload to trigger OLE DB driver bug
    conn.sendall(malicious_payload)
    conn.close()

# Utility to build a minimal TDS handshake (content omitted for brevity)
def build_tds_handshake():
    return b'\x04\x01\x00\x3A...' # minimal example

serve_malicious_sql()

NOTE: In a genuine exploit, the details of malicious_payload would be crafted to corrupt memory and execute injected shellcode.

Update Now: Microsoft fixed this bug in MSOLEDBSQL 18.6.8+. Download here:

OLE DB Driver for SQL Server – Latest Version
- Restrict Network Access: Only allow trusted endpoints to connect with your database infrastructure.
- Use Encrypted Connections: Enable TLS/SSL to prevent man-in-the-middle-style attacks.
- Monitor Logs: Look for unusual new database connections or apps suddenly crashing (signs of exploitation).

References & Further Reading

- 🛡️ Microsoft Security Advisory CVE-2024-28913
- 📦 Download OLE DB Driver for SQL Server
- 🧑‍💻 Discuss SQL Server Security on StackExchange
- 🔒 MSRC Blog: March 2024 Patch Tuesday

Final Notes

CVE-2024-28913 is a major threat to any application using Microsoft’s OLE DB Driver for SQL Server. The impact stretches from enterprise back-ends to desktop apps running client connections. Patch immediately and review your exposure if you use MSOLEDBSQL.

If you want more technical deep dives or want to discuss this exploit, feel free to join security forums or the r/netsec community.

Timeline

Published on: 04/09/2024 17:15:50 UTC
Last modified on: 04/10/2024 13:24:00 UTC