CVE-2024-26244

Q: What is the severity of CVE-2024-26244?

CVE-2024-26244 has a CVSS score of 8.8 (HIGH). This vulnerability in Microsoft WDAC OLE DB provider for SQL Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted requests. It affects systems running vulnerable versions of Microsoft SQL Server with WDAC OLE DB provider enabled. Successful exploitation could lead to complete system compromise.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability in Microsoft WDAC OLE DB provider for SQL Server allows remote attackers to execute arbitrary code on affected systems by sending specially crafted requests. It affects systems running vulnerable versions of Microsoft SQL Server with WDAC OLE DB provider enabled. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Microsoft SQL Server

Versions: Specific versions as listed in Microsoft advisory (typically recent versions prior to patch)

Operating Systems: Windows Server, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WDAC OLE DB provider to be enabled and accessible. Default SQL Server installations may be vulnerable depending on configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, data exfiltration, lateral movement across network, and persistent backdoor installation.

🟠

Likely Case

Attacker gains code execution with SQL Server service account privileges, enabling database manipulation, credential theft, and potential privilege escalation.

🟢

If Mitigated

Limited impact due to network segmentation, proper authentication requirements, and minimal service account privileges.

🌐 Internet-Facing: HIGH if SQL Server is exposed to internet without proper firewalling, as exploit requires network access to vulnerable service.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and authentication controls, as authenticated access may be required.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to SQL Server and likely some level of authentication. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26244

Restart Required: Yes

Instructions:

1. Apply latest Microsoft SQL Server security updates from Windows Update or Microsoft Update Catalog. 2. Restart SQL Server services. 3. Verify patch installation via version check.

🔧 Temporary Workarounds

Disable WDAC OLE DB provider

windows

Temporarily disable the vulnerable component if not required for operations

-- Requires SQL Server configuration changes via SQL Server Configuration Manager or T-SQL

Network segmentation

windows

Restrict network access to SQL Server ports (default 1433) using firewalls

netsh advfirewall firewall add rule name="Block SQL Port" dir=in action=block protocol=TCP localport=1433

🧯 If You Can't Patch

Implement strict network access controls to limit SQL Server exposure
Apply principle of least privilege to SQL Server service accounts and database users

🔍 How to Verify

Check if Vulnerable:

Check SQL Server version and compare against patched versions in Microsoft advisory. Review if WDAC OLE DB provider is enabled.

Check Version:

SELECT @@VERSION;

Verify Fix Applied:

Verify SQL Server version matches patched version from Microsoft advisory. Check Windows Update history for SQL Server security updates.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL Server error logs related to OLE DB provider
Failed authentication attempts followed by successful connections
Unusual process creation from SQL Server service account

Network Indicators:

Unusual traffic patterns to SQL Server port 1433
Suspicious SQL queries or connection attempts

SIEM Query:

source="sql_server_logs" AND (error_code="*OLE*" OR error_code="*WDAC*") OR process_name="sqlservr.exe" AND parent_process!="expected_parent"

📊 Metadata

CVE ID: CVE-2024-26244

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-191

Published: April 9, 2024

Last Updated: December 6, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26244 Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26244 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft