Safeguard
Vulnerability Analysis

CVE-2024-0056: Security bypass in Microsoft.Data.SqlClient

CVE-2024-0056 lets attackers bypass TLS protections in Microsoft.Data.SqlClient/System.Data.SqlClient. Affected versions, remediation, and masking as defense in depth.

Daniel Chen
Security Engineer
7 min read

Microsoft's January 2024 .NET security release disclosed CVE-2024-0056, a security feature bypass vulnerability in Microsoft.Data.SqlClient and the legacy System.Data.SqlClient — the ADO.NET data provider libraries that the overwhelming majority of .NET applications use to talk to Microsoft SQL Server and Azure SQL Database. At its core, the flaw undermines the transport-layer protections applications rely on when they believe they are connecting to SQL Server over an encrypted, validated channel. In practice, that means an attacker positioned on the network path — a classic man-in-the-middle (MITM) scenario — could intercept, read, or tamper with data in transit between an application and its database, even when the application's connection string explicitly requested encryption.

For a company like Safeguard, whose entire mission is closing the gap between "a dependency is present in your build" and "a dependency is actively putting you at risk," CVE-2024-0056 is a textbook example of why software supply chain visibility has to extend into the data-access layer, not just web frameworks and serialization libraries. SqlClient sits directly between application code and the database holding your most sensitive records — customer PII, financial data, credentials — which makes a TLS/encryption bypass here materially different from a bypass in a less privileged component.

Affected Versions and Components

CVE-2024-0056 was published alongside a companion advisory, CVE-2024-0057, as part of Microsoft's coordinated January 2024 disclosure covering the SqlClient family of drivers. Both issues were tracked publicly through Microsoft Security Response Center (MSRC) and mirrored as a GitHub Security Advisory for the Microsoft.Data.SqlClient NuGet package (GHSA-98g6-xh36-x3v9).

The affected components are:

  • Microsoft.Data.SqlClient — the modern, actively maintained ADO.NET driver for SQL Server, distributed as a NuGet package and used across .NET Framework, .NET Core, and modern .NET applications.
  • System.Data.SqlClient — the older, in-maintenance-mode driver that ships as part of the .NET Framework base class libraries and is still referenced by a large number of legacy line-of-business applications.

Because both libraries are transitively pulled in by ORMs (Entity Framework, Entity Framework Core), reporting tools, ETL pipelines, and countless internal services, the practical blast radius extends well beyond applications that reference SqlClient directly. Microsoft shipped patched builds of Microsoft.Data.SqlClient and corresponding updates for System.Data.SqlClient through the standard .NET update channels; teams should treat "which SqlClient version is actually resolved at build and runtime" as the operative question rather than assuming a framework-level patch alone resolves the issue for every project.

CVSS, EPSS, and KEV Context

Microsoft classified CVE-2024-0056 as a Security Feature Bypass with an Important severity rating, reflecting that exploitation requires network positioning (an active MITM capability) rather than being remotely exploitable with no prerequisites. This is consistent with the general pattern for TLS/certificate-validation-bypass issues in database client libraries: severe in the right network conditions, but not a "drop everything, internet-wide" wormable flaw.

As of this writing, CVE-2024-0056 does not appear in CISA's Known Exploited Vulnerabilities (KEV) catalog, and we are not aware of confirmed in-the-wild exploitation. That absence of confirmed exploitation is not a reason to deprioritize remediation, however — encryption-bypass vulnerabilities in database drivers are exactly the kind of issue that is quietly valuable to an attacker who has already achieved network-level access (compromised switch, rogue Wi-Fi, malicious cloud tenant peering, insider access) and is looking to escalate from network presence to data access without tripping alarms further up the stack.

Timeline

  • January 2024 — Microsoft discloses CVE-2024-0056 and CVE-2024-0057 as part of its regular .NET/SqlClient security update cadence, coinciding with Patch Tuesday. Patched versions of Microsoft.Data.SqlClient are published to NuGet.
  • Same window — The GitHub Security Advisory (GHSA-98g6-xh36-x3v9) for the microsoft.data.sqlclient package is published, giving dependency-scanning tools and SCA platforms a machine-readable record to match against installed package versions.
  • Ongoing — Downstream package maintainers, ORM authors, and application teams progressively bump their minimum supported SqlClient versions; because this is a client-library dependency rather than a server patch, remediation depends entirely on individual applications rebuilding and redeploying against updated packages — there is no "patch the server and you're done" shortcut.

The key operational lesson in the timeline is the same one that recurs across NuGet/npm/PyPI ecosystem advisories: publication of a fix does not equal remediation. Every application that vendored, pinned, or transitively resolved a vulnerable SqlClient version remains exposed until it is explicitly rebuilt against the patched release.

Remediation Steps

  1. Inventory every project that resolves Microsoft.Data.SqlClient or System.Data.SqlClient, including transitive references pulled in through Entity Framework Core, Dapper-based data layers, reporting/BI tooling, and internal shared libraries. Don't rely on .csproj inspection alone — resolve the actual lockfile/packages.lock.json or build output to see what version ships in production artifacts.
  2. Upgrade to a patched Microsoft.Data.SqlClient release and, for applications still on System.Data.SqlClient, apply the corresponding .NET Framework/runtime update. Prefer migrating long-lived legacy apps off System.Data.SqlClient onto the actively maintained Microsoft.Data.SqlClient where feasible, since the legacy package receives narrower ongoing security attention.
  3. Verify connection-string encryption settings explicitly. Confirm Encrypt=true (the modern default in recent driver versions) and avoid TrustServerCertificate=true in production, which disables certificate validation and reintroduces MITM exposure independent of this CVE.
  4. Rebuild and redeploy, don't just patch the restore cache. A dotnet restore that pulls the fixed package version is meaningless if the running production binaries were built and containerized before the bump. Confirm the deployed artifact — container image, published build, or installed application — actually embeds the patched assembly.
  5. Add masking and least-privilege as defense in depth. Even with TLS correctly enforced, apply column-level or dynamic data masking on sensitive fields (SSNs, payment data, health records) at the database or application layer, and scope database credentials to least privilege. A security bypass in the transport layer is far less damaging if the data an attacker can see in transit is already masked or tokenized, and if the compromised credential set can't reach the crown-jewel tables.
  6. Re-scan after remediation. Confirm through SCA tooling or manual verification that no build path — including old container base images, cached artifacts, or vendored copies — still resolves a pre-fix SqlClient version.

How Safeguard Helps

CVE-2024-0056 is a good illustration of why supply chain security can't stop at "is the CVE patched in one manifest file." Safeguard is built to close exactly the gaps this advisory exposes:

  • Continuous SBOM-driven dependency inventory that tracks Microsoft.Data.SqlClient and System.Data.SqlClient across every repository, service, and build artifact in your environment — including transitive resolution through ORMs and shared internal packages — so you don't have to manually chase down every place a data-access library got vendored in.
  • Build-artifact verification, not just manifest scanning, confirming that the version resolved in your lockfile actually matches what's compiled into the container image or binary running in production, closing the "we upgraded the package but never rebuilt" gap that leaves security bypass vulnerabilities like this one silently unremediated.
  • Risk-prioritized alerting that accounts for exploitability signals — CVSS vector, KEV status, and observed exploitation activity — so security bypass and TLS-related CVEs affecting data-access libraries are triaged with the urgency their access to sensitive data warrants, rather than getting lost in a generic dependency-update backlog.
  • Policy enforcement for encryption and masking posture, letting teams codify rules such as "no production connection strings with TrustServerCertificate=true" or "PII columns must have masking policies applied," turning the remediation guidance above into automatically enforced guardrails rather than one-time advice.
  • Provenance and attestation tracking, so when Microsoft or the .NET team ships the next SqlClient advisory, Safeguard can immediately tell you which of your services are affected, which have already been rebuilt against the fix, and which still need attention — collapsing what is normally a multi-day manual audit into a real-time view.

Database client libraries rarely get the security attention that web frameworks or authentication libraries do, but they sit directly in the path to your most sensitive data. CVE-2024-0056 is a reminder that "encrypted connection" is a claim your dependency stack has to actually deliver on, and that verifying it — continuously, across every build — is core supply chain security work, not an afterthought.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.