Login Sign Up

CVE-2021-34876

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2021-34876 is a buffer overflow vulnerability in Bentley View's JT file parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious JT files, potentially compromising affected systems. Users of Bentley View 10.15.0.75 are primarily affected.

💻 Affected Systems

Products:
  • Bentley View
Versions: 10.15.0.75
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction to open malicious JT files. All default installations are vulnerable.

📦 What is this software?

Bentley View by Bentley

View all CVEs affecting Bentley View →

Microstation by Bentley

View all CVEs affecting Microstation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected machine, data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, installation of backdoors, or use as an initial access vector for broader attacks.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash only.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is technically straightforward once malicious file is opened. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.0.80 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest Bentley View version from official Bentley website. 2. Run installer with administrative privileges. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Disable JT file association

windows

Remove Bentley View as default handler for .jt files to prevent automatic exploitation

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application

Application sandboxing

windows

Run Bentley View in restricted environment using application control solutions

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Bentley View systems
  • Deploy application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check Bentley View version in Help > About. If version is 10.15.0.75, system is vulnerable.

Check Version:

wmic product where name="Bentley View" get version

Verify Fix Applied:

Verify version is 10.16.0.80 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unusual process spawning from Bentley View executable
  • Failed attempts to open corrupted JT files

Network Indicators:

  • Downloads of JT files from untrusted sources
  • Outbound connections from Bentley View to unknown IPs

SIEM Query:

source="windows" AND (process_name="BentleyView.exe" AND (event_id=1000 OR event_id=1001))

📊 Metadata

CVE ID: CVE-2021-34876
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34876, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)