CVE-2024-21375 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2024-21375?

CVE-2024-21375 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote code execution through the Microsoft WDAC OLE DB provider for SQL Server. An attacker could exploit this to execute arbitrary code on affected systems. Organizations using SQL Server with WDAC OLE DB provider are affected.

📋 TL;DR

This vulnerability allows remote code execution through the Microsoft WDAC OLE DB provider for SQL Server. An attacker could exploit this to execute arbitrary code on affected systems. Organizations using SQL Server with WDAC OLE DB provider are affected.

💻 Affected Systems

Products:

Microsoft SQL Server

Versions: Specific versions listed in Microsoft advisory

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WDAC OLE DB provider usage; SQL Server instances with this component enabled are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Attacker gains SYSTEM-level privileges on the SQL Server host, enabling data exfiltration and lateral movement.

🟢

If Mitigated

Limited impact due to network segmentation, least privilege, and proper monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and may involve memory corruption techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21375

Restart Required: Yes

Instructions:

1. Apply the latest Microsoft SQL Server security update. 2. Restart SQL Server services. 3. Verify patch installation.

🔧 Temporary Workarounds

Disable WDAC OLE DB provider

windows

Remove or disable the vulnerable component if not required.

Consult Microsoft documentation for disabling specific OLE DB providers

Network segmentation

all

Restrict access to SQL Server ports (1433, 1434) to trusted networks only.

🧯 If You Can't Patch

Implement strict network access controls to limit SQL Server exposure
Enable enhanced logging and monitoring for suspicious SQL Server activities

🔍 How to Verify

Check if Vulnerable:

Check SQL Server version and installed updates against Microsoft advisory

Check Version:

SELECT @@VERSION

Verify Fix Applied:

Verify security update is installed via Windows Update history or SQL Server version check

📡 Detection & Monitoring

Log Indicators:

Unusual SQL Server process creation
Suspicious OLE DB provider usage

Network Indicators:

Anomalous connections to SQL Server ports
Unexpected network traffic from SQL Server

SIEM Query:

Process creation where parent process contains 'sqlservr.exe' and command line contains suspicious parameters

📊 Metadata

CVE ID: CVE-2024-21375

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 13, 2024

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21375 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21375 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21375, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft