CVE-2024-38087 - SQL Server Native Client OLE DB Remote Code Execution Vulnerability Explained
In June 2024, Microsoft patched a serious vulnerability, CVE-2024-38087, that affects the SQL Server Native Client’s OLE DB provider. If you’re running SQL Server or use software that connects through Native Client, this is something you should know about — and patch quickly. This post will break down what CVE-2024-38087 is, how it can be exploited, and what you can do to stay safe.
What Is CVE-2024-38087?
CVE-2024-38087 is a Remote Code Execution (RCE) vulnerability in the SQL Server Native Client, specifically its OLE DB provider. The Native Client is a stand-alone data access API used to connect applications to SQL Server. The OLE DB provider helps older applications interact with SQL Server databases.
Attackers who exploit this vulnerability can run arbitrary code on affected systems with the same permissions as the application making the database connection. This is a big deal, especially in environments where SQL Server is commonly used by internal or web applications.
Where Did It Come From?
According to Microsoft’s advisory, the problem lies in the way the OLE DB provider in SQL Server Native Client handles specially crafted requests. If an attacker convinces the target to execute a malicious database query, or they compromise an application that talks to SQL Server, they might be able to trigger code execution.
Who Is Affected?
- SQL Server Native Client (SNAC): Any system using SNAC’s OLE DB provider, often found on older servers.
- Multiple SQL Server Versions: Especially at risk are SQL Server 2008, 2012, and 2014 installations, plus any app that distributes its own SNAC files.
Let’s keep it simple. Imagine this
1. An attacker finds an application that connects to SQL Server using Native Client OLE DB. The app accepts user input for a database query.
The attacker submits a specially crafted payload as input.
3. The vulnerable OLE DB component mishandles the payload and executes malicious code with the application's privileges.
If the application runs as an admin, the attacker gets full system control!
Suppose you have a VBScript (many legacy ETL or reporting solutions do) connecting via OLE DB
Set conn = CreateObject("ADODB.Connection")
conn.Open "Provider=SQLNCLI11;Server=MYSQLSERVER;Database=TestDB;Uid=sa;Pwd=passwd;"
sql = "SELECT * FROM Users WHERE Name = '" & userInput & "'"
Set rs = conn.Execute(sql)
If an attacker controls userInput and triggers the vulnerability in the OLE DB provider during parsing, remote code could run on the server.
Exploit Proof-of-Concept (PoC)
As of now, no public PoC code exists (responsible disclosure is in effect). However, the general exploit chain would look like this (in Python pseudocode):
import pyodbc
# Crafted payload to exploit the OLE DB provider vulnerability
payload = "'; EXEC xp_cmdshell('calc.exe'); --"
conn_str = "Driver={SQL Server Native Client 11.};Server=targetserver;Database=TestDB;Uid=sa;Pwd=passwd;"
conn = pyodbc.connect(conn_str)
cursor = conn.cursor()
cursor.execute(f"SELECT * FROM Users WHERE Name = {payload}")
If unpatched, this could lead to arbitrary command execution.
Mitigation: How To Protect Your Systems
Patch Immediately:
Install the latest security updates from Microsoft
- CVE-2024-38087 Security Update Guide
More Information & References
- Microsoft’s CVE-2024-38087 Advisory
- Native Client OLE DB Provider Documentation
- SQL Vulnerability mitigations
- Mitre CVE Record
Final Thoughts
CVE-2024-38087 is another reminder that legacy components can become critical risks. Old OLE DB providers are still used all over, and attackers know about it. Make sure your SQL Server environments — and any client connecting to them — are fully patched. Audit your code and infrastructure for legacy Native Client use, and move to safer, modern data access technologies wherever possible.
If you found this post useful, check your systems now and don’t wait to apply the patch.
Timeline
Published on: 07/09/2024 17:15:44 UTC
Last modified on: 08/02/2024 04:04:25 UTC