CVE-2023-29372

Q: What is the severity of CVE-2023-29372?

CVE-2023-29372 has a CVSS score of 8.8 (HIGH). This vulnerability in Microsoft's WDAC OLE DB provider for SQL Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted queries. It affects systems running vulnerable versions of SQL Server with the WDAC OLE DB provider enabled. Successful exploitation could lead to complete system compromise.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability in Microsoft's WDAC OLE DB provider for SQL Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted queries. It affects systems running vulnerable versions of SQL Server with the WDAC OLE DB provider enabled. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Microsoft SQL Server

Versions: Specific versions listed in Microsoft advisory (typically recent versions before patching)

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WDAC OLE DB provider to be enabled and accessible. SQL Server instances with remote connectivity are most vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, data exfiltration, lateral movement across network, and persistent backdoor installation.

🟠

Likely Case

Database compromise leading to data theft, privilege escalation, and potential ransomware deployment.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and proper monitoring catching exploitation attempts.

🌐 Internet-Facing: HIGH - SQL servers exposed to internet are prime targets for automated exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication to SQL Server but no additional privileges. Exploitation involves crafting specific OLE DB queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29372

Restart Required: Yes

Instructions:

1. Apply latest SQL Server cumulative update from Microsoft. 2. Restart SQL Server services. 3. Verify patch installation via version check.

🔧 Temporary Workarounds

Disable WDAC OLE DB provider

windows

Temporarily disable the vulnerable component if not required for operations

-- Requires SQL Server configuration changes
-- Consult Microsoft documentation for specific steps

Network segmentation

windows

Restrict access to SQL Server ports (1433, 1434) to only trusted hosts

netsh advfirewall firewall add rule name="Block SQL" dir=in action=block protocol=TCP localport=1433,1434 remoteip=any

🧯 If You Can't Patch

Implement strict network access controls to limit SQL Server exposure
Apply principle of least privilege to SQL Server service accounts and database users

🔍 How to Verify

Check if Vulnerable:

Check SQL Server version against patched versions in Microsoft advisory. Verify WDAC OLE DB provider is enabled.

Check Version:

SELECT @@VERSION;

Verify Fix Applied:

Confirm SQL Server build number matches or exceeds patched version from Microsoft advisory.

📡 Detection & Monitoring

Log Indicators:

Unusual OLE DB provider usage patterns
Failed authentication attempts followed by successful connections
Unusual query patterns targeting WDAC functionality

Network Indicators:

Unusual traffic to SQL Server ports from unexpected sources
Large or malformed OLE DB packets

SIEM Query:

source="sql_server" AND (event_id=18456 OR event_id=33205) AND user NOT IN (expected_users)

📊 Metadata

CVE ID: CVE-2023-29372

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 14, 2023

Last Updated: April 8, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29372 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29372 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WDAC OLE DB provider

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities