The identifier #VU77447 refers to a high-severity Remote Code Execution (RCE) vulnerability officially tracked as CVE-2023-29356.
While “input validation error” is the general classification, the technical root cause is more specific: it is a Use After Free (UAF) flaw within the Microsoft ODBC Driver for SQL Server.
Technical Breakdown
Vulnerability Type: Use After Free (CWE-416) resulting from Improper Input Validation (CWE-20).
Severity: 7.8 (High) on the CVSS 3.1 scale.
The Threat: An attacker can execute arbitrary code on a victim’s system. To do this, they must typically trick a user into connecting to a malicious SQL Server via the vulnerable ODBC driver or convincing them to open a specially crafted file.
Impact: If successfully exploited, the attacker gains the same permissions as the application using the driver, which could lead to full system compromise.
Also Read : ARC Raiders | Use The Rotary Encoder to Activate the Server Switch
Affected Software
The vulnerability impacts the Microsoft ODBC Driver for SQL Server across Windows, Linux, and macOS. Specifically:
ODBC Driver 17 for SQL Server: Versions 17.0.1.1 up to (but not including) 17.10.4.1.
ODBC Driver 18 for SQL Server: Versions prior to 18.2.2.1.
SQL Server Bundles: It is also included in certain Cumulative Updates (CUs) for SQL Server 2019 and 2022.
How to Fix It
Microsoft addressed this vulnerability in mid-2023. To secure your system, you should update to the following versions or higher:
ODBC Driver 17: Update to version 17.10.4.1.
ODBC Driver 18: Update to version 18.2.2.1.
SQL Server Instances:
SQL Server 2019: Apply CU21 (KB5025808) or later.
SQL Server 2022: Apply CU5 (KB5026806) or later.
[!TIP] Since this vulnerability requires a “connection” to a malicious source, it is highly recommended to restrict outbound database traffic to known, trusted IP addresses while you are in the process of patching.
Be the first to comment