CVE-2024-38088

Heap-based Buffer Overflow (CWE-122)

Published: Jul 9, 2024

010
CVSS 8.8EPSS 0.09%High
CVE info copied to clipboard

Summary

SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability. This vulnerability allows remote code execution with a network-based attack vector. It requires user interaction but no privileges, and has a low attack complexity. The vulnerability affects multiple versions of Microsoft SQL Server, including SQL Server 2016, 2017, 2019, and 2022.

Impact

If exploited, this vulnerability could lead to a severe impact on the affected systems. The attacker could potentially execute arbitrary code remotely, compromising the confidentiality, integrity, and availability of the system. With high impacts on confidentiality, integrity, and availability, an attacker could potentially access sensitive data, modify system files or data, and disrupt normal operations of the affected SQL Server instances. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on July 9, 2024. Specific version numbers that need updating include: - SQL Server 2016: versions before 13.0.6441.1 and 13.0.7000.253 to 13.0.7037.1 - SQL Server 2017: versions before 14.0.2056.2 and 14.0.3456.2 to 14.0.3471.2 - SQL Server 2019: versions before 15.0.2116.2 and 15.0.4375.4 to 15.0.4382.1 - SQL Server 2022: versions before 16.0.1121.4 and 16.0.4125.3 to 16.0.4131.2

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Implement network segmentation to limit exposure of SQL Server instances. 3. Enforce strong user education to prevent social engineering attacks, as user interaction is required for exploitation. 4. Monitor for suspicious activities related to SQL Server Native Client OLE DB Provider. 5. Implement the principle of least privilege for SQL Server access. 6. Keep all SQL Server related software and components up to date.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380160)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38088

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38088. See article

Jul 9, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:25 PM
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 7:13 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.4%)

Jul 10, 2024 at 10:14 AM
Trending

This CVE stopped trending in security discussions

Jul 12, 2024 at 6:08 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/sql_server_2016
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-92: Forced Integer Overflow
+null more

References

Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild. Microsoft released 138 CVEs in July 2024 Patch Tuesday release, with five rated critical, 132 rated important and one rated moderate.

News

Microsoft’s Security Update in July of High-Risk Vulnerabilities in Multiple Products
On July 10, NSFOCUS CERT detected that Microsoft released a security update patch for July, which fixed 139 security issues involving Windows, Microsoft SQL Server, Microsoft Office, Azure and other widely used products, including high-risk vulnerabilities such as privilege escalation and remote code execution. Due to the heap-based buffer overflow in the Windows remote desktop authorization service, unauthenticated attackers can send special packets to the server set as the remote desktop authorization server, triggering the buffer overflow and executing arbitrary codes on the target system.
[Cyware] Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days
Summary: This content highlights the latest vulnerabilities and their severity in various Microsoft products, including .NET and Visual Studio, Active Directory Rights Management Services, Azure CycleCloud, and Azure DevOps. Threat …
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
Microsoft Enhances Windows 11 24H2 Copilot+ PCs in July Patch Tuesday
Windows Graphics Component Remote Code Execution Vulnerability Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability
Microsoft July 2024 Patch Tuesday Fixes 142 Flaws, 4 Zero-Days
As part of Microsoft's July 2024 Patch Tuesday, 142 flaws were addressed, including two zero-days actively exploited and two publicly disclosed. Five critical vulnerabilities were fixed, all related to remote code execution.
See 22 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI