Login Sign Up

CVE-2024-21359

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Microsoft's WDAC OLE DB provider for SQL Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted requests. It affects systems running vulnerable versions of SQL Server with the WDAC OLE DB provider enabled. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • Microsoft SQL Server
Versions: Specific versions as listed in Microsoft advisory (check patch version for details)
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WDAC OLE DB provider to be enabled and accessible. SQL Server instances with this component disabled may not be vulnerable.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 21h2 by Microsoft

View all CVEs affecting Windows 11 21h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, data exfiltration, lateral movement across network, and persistent backdoor installation.

🟠

Likely Case

Attacker gains code execution with SQL Server service account privileges, enabling database manipulation, credential theft, and potential privilege escalation.

🟢

If Mitigated

Attack blocked at network perimeter or by application controls, resulting in failed exploitation attempts logged for analysis.

🌐 Internet-Facing: HIGH - SQL servers exposed to internet are prime targets for automated exploitation attempts.
🏢 Internal Only: MEDIUM - Requires internal network access but could be exploited via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires network access to SQL Server and knowledge of vulnerable configuration. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21359

Restart Required: Yes

Instructions:

1. Download appropriate SQL Server cumulative update from Microsoft Update Catalog. 2. Apply update following Microsoft's SQL Server patching procedures. 3. Restart SQL Server services as required.

🔧 Temporary Workarounds

Disable WDAC OLE DB Provider

windows

Disable the vulnerable component if not required for business operations

-- Requires SQL Server configuration changes via SQL Server Configuration Manager or PowerShell

Network Segmentation

all

Restrict network access to SQL Server ports (default 1433) to authorized systems only

🧯 If You Can't Patch

  • Implement strict network access controls to limit SQL Server exposure
  • Enable enhanced logging and monitoring for suspicious SQL Server activity

🔍 How to Verify

Check if Vulnerable:

Check SQL Server version and installed updates against Microsoft's security bulletin

Check Version:

SELECT @@VERSION

Verify Fix Applied:

Verify cumulative update is installed via SQL Server Management Studio: SELECT @@VERSION

📡 Detection & Monitoring

Log Indicators:

  • Unusual OLE DB provider activity
  • Failed authentication attempts to SQL Server
  • Unexpected process creation from SQL Server service

Network Indicators:

  • Malformed OLE DB requests to SQL Server port
  • Unusual outbound connections from SQL Server

SIEM Query:

source="sql_server" AND (event_id=18456 OR event_id=18454) AND user!="NT AUTHORITY\SYSTEM"

📊 Metadata

CVE ID: CVE-2024-21359
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: February 13, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21359, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)