CVE-2024-38087

Double Free (CWE-415)

Published: Jul 9, 2024

010
CVSS 8.8EPSS 0.09%High
CVE info copied to clipboard

Summary

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability. This vulnerability affects the confidentiality, integrity, and availability of the system, all with high impact. The attack vector is network-based, with low attack complexity and no privileges required, but it does require user interaction.

Impact

An attacker could potentially execute arbitrary code remotely on affected systems. This could lead to unauthorized access to sensitive data, modification of system files or data, and potential disruption of services. The attack requires user interaction, which might involve tricking a user into connecting to a malicious server or opening a specially crafted file. Given the high impact on confidentiality, integrity, and availability, a successful exploit could have severe consequences for the affected systems and data.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released an official fix for this vulnerability on July 9, 2024. The following SQL Server versions are affected and should be updated: 1. SQL Server 2019: Versions 15.0.4375.4 to 15.0.4382.1 (exclusive) and versions up to 15.0.2116.2 (exclusive) 2. SQL Server 2016: Versions 13.0.7000.253 to 13.0.7037.1 (exclusive) and versions up to 13.0.6441.1 (exclusive) 3. SQL Server 2022: Versions 16.0.4125.3 to 16.0.4131.2 (exclusive) and versions up to 16.0.1121.4 (exclusive) 4. SQL Server 2017: Versions up to 14.0.2056.2 (exclusive) and versions 14.0.3456.2 to 14.0.3471.2 (exclusive)

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Implement network segmentation to limit exposure of vulnerable systems. 3. Educate users about the risks of interacting with untrusted sources or opening suspicious files. 4. Monitor for unusual activity related to SQL Server Native Client OLE DB Provider. 5. Consider implementing additional access controls or authentication mechanisms for critical systems. 6. Keep all SQL Server related components and clients up to date with the latest security updates.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380160)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38087

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38087. See article

Jul 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:34 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 7:13 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.4%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 6:08 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/sql_server_2022
+null more

Patches

Microsoft
+null more

References

Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild. Microsoft released 138 CVEs in July 2024 Patch Tuesday release, with five rated critical, 132 rated important and one rated moderate.

News

Microsoft’s Security Update in July of High-Risk Vulnerabilities in Multiple Products
On July 10, NSFOCUS CERT detected that Microsoft released a security update patch for July, which fixed 139 security issues involving Windows, Microsoft SQL Server, Microsoft Office, Azure and other widely used products, including high-risk vulnerabilities such as privilege escalation and remote code execution. Due to the heap-based buffer overflow in the Windows remote desktop authorization service, unauthenticated attackers can send special packets to the server set as the remote desktop authorization server, triggering the buffer overflow and executing arbitrary codes on the target system.
[Cyware] Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days
Summary: This content highlights the latest vulnerabilities and their severity in various Microsoft products, including .NET and Visual Studio, Active Directory Rights Management Services, Azure CycleCloud, and Azure DevOps. Threat …
Microsoft Enhances Windows 11 24H2 Copilot+ PCs in July Patch Tuesday
Windows Graphics Component Remote Code Execution Vulnerability Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability
Microsoft July 2024 Patch Tuesday Fixes 142 Flaws, 4 Zero-Days
As part of Microsoft's July 2024 Patch Tuesday, 142 flaws were addressed, including two zero-days actively exploited and two publicly disclosed. Five critical vulnerabilities were fixed, all related to remote code execution.
Microsoft releases massive July patch addressing 142 flaws, including critical and actively exploited
Windows Graphics Component Remote Code Execution Vulnerability Windows Fax Service Remote Code Execution Vulnerability
See 20 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI