CVE-2024-21375 in Windowsinfo

Summary

by MITRE • 02/13/2024

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/12/2026

This vulnerability exists in Microsoft Windows Defender Application Control (WDAC) OLE DB provider for SQL Server, representing a critical remote code execution flaw that can be exploited by attackers to gain unauthorized access to systems. The vulnerability stems from improper input validation within the OLE DB provider component that handles database connections and data processing operations. When a maliciously crafted database connection string or query is processed through the WDAC OLE DB provider, the system fails to properly sanitize inputs, creating an opportunity for arbitrary code execution. This flaw particularly affects environments where WDAC is configured to enforce application control policies, as the vulnerability can be leveraged to bypass these security controls and execute malicious code with the privileges of the targeted process.

The technical implementation of this vulnerability involves a buffer overflow condition or injection flaw within the OLE DB provider's parsing mechanism for SQL Server connections. Attackers can craft specially designed connection strings or SQL queries that trigger the vulnerable code path, leading to memory corruption and potential remote code execution. The flaw operates at the application layer and can be exploited through network-based attacks without requiring authentication, making it particularly dangerous in enterprise environments where database connectivity is common. This vulnerability aligns with CWE-121, which describes buffer overflow conditions, and CWE-78, which addresses injection flaws, both of which are fundamental weaknesses in application security design.

The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to establish persistent access to systems and escalate privileges within the network. Once exploited, the attacker can leverage the compromised WDAC OLE DB provider to access sensitive data, modify database contents, or use the system as a launch point for further attacks against other network resources. The vulnerability affects multiple versions of Windows Defender Application Control and SQL Server components, making it a widespread concern for organizations with diverse IT infrastructures. Security professionals should note that this vulnerability can be particularly challenging to detect through traditional security monitoring as the malicious activity may appear as legitimate database operations.

Organizations should implement immediate mitigations including applying Microsoft security patches and updates to address the vulnerability in WDAC components and SQL Server providers. Network segmentation and firewall rules should be configured to restrict database connectivity where possible, limiting the attack surface for potential exploitation. Additionally, implementing strict application control policies and monitoring for unusual database connection patterns can help detect potential exploitation attempts. The vulnerability demonstrates the importance of secure coding practices and proper input validation in database connectivity components, aligning with ATT&CK technique T1059.007 for command and script injection. Organizations should also consider implementing database activity monitoring solutions and regularly reviewing WDAC policies to ensure that only trusted applications are permitted to execute within the environment, reducing the risk of exploitation through this and similar vulnerabilities.

Responsible

Microsoft

Reservation

12/08/2023

Disclosure

02/13/2024

Moderation

accepted

CPE

ready

EPSS

0.01652

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!