CVE-2024-21361
📋 TL;DR
This vulnerability allows remote code execution through the Microsoft WDAC OLE DB provider for SQL Server. An attacker could exploit this by sending specially crafted queries to a vulnerable system, potentially gaining full control. This affects systems using the WDAC OLE DB provider to connect to SQL Server.
💻 Affected Systems
- Microsoft WDAC OLE DB provider for SQL Server
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining SYSTEM/administrator privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Attacker executes arbitrary code with the privileges of the SQL Server service account, potentially leading to data theft, lateral movement, or denial of service.
If Mitigated
Limited impact due to network segmentation, least privilege service accounts, and proper monitoring detecting anomalous queries.
🎯 Exploit Status
Based on CVSS 8.8 and CWE-122 (Heap-based Buffer Overflow), exploitation likely requires crafting specific malicious queries but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft's February 2024 security updates or later for the specific patch version.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21361
Restart Required: Yes
Instructions:
1. Apply the latest security update from Microsoft for the affected component. 2. Restart the system if required. 3. Verify the patch is installed correctly.
🔧 Temporary Workarounds
Disable WDAC OLE DB Provider
windowsIf not required, disable or remove the WDAC OLE DB provider to eliminate the attack surface.
Specific commands would depend on the system configuration; refer to Microsoft documentation for disabling OLE DB providers.
Network Segmentation
allRestrict network access to SQL Server instances using the WDAC OLE DB provider to only trusted hosts.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to the SQL Server from untrusted networks.
- Monitor for anomalous query patterns or unexpected process executions related to the SQL Server service.
🔍 How to Verify
Check if Vulnerable:
Check if the WDAC OLE DB provider is installed and in use on systems connecting to SQL Server. Review system logs for any related error messages.Check Version:
wmic qfe list | findstr /i "CVE-2024-21361" on Windows, or check the installed updates in system settings.Verify Fix Applied:
Verify that the Microsoft security update for CVE-2024-21361 is installed via Windows Update or system patch management tools.📡 Detection & Monitoring
Log Indicators:
- Unusual query patterns to SQL Server via OLE DB, error logs indicating buffer overflow or memory corruption in WDAC provider processes.
Network Indicators:
- Anomalous network traffic to SQL Server ports (default 1433) from unexpected sources, especially with crafted payloads.
SIEM Query:
Example: search for events where source_ip attempts SQL queries with unusual length or patterns to destination_port 1433, correlated with process creation anomalies on the SQL Server host.