CVE-2021-34905
📋 TL;DR
CVE-2021-34905 is a heap-based buffer overflow vulnerability in Bentley View's DGN file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious DGN files or visiting malicious web pages. Users of affected Bentley View versions are at risk.
💻 Affected Systems
- Bentley View
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes arbitrary code in the context of the current user, potentially installing malware, stealing credentials, or establishing persistence on the system.
If Mitigated
With proper controls like application whitelisting and least privilege, impact is limited to the user's context with no administrative privileges or network access.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability itself is straightforward to exploit once the malicious file is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Bentley View 10.16.0.80 and later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0009
Restart Required: Yes
Instructions:
1. Download and install Bentley View version 10.16.0.80 or later from Bentley's official website. 2. Close all instances of Bentley View before installation. 3. Run the installer with administrative privileges. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable DGN file association
windowsRemove Bentley View as the default handler for .dgn files to prevent automatic exploitation when files are opened.
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .dgn > Change program > Choose another application
Application control policy
allImplement application whitelisting to prevent execution of unauthorized Bentley View versions.
🧯 If You Can't Patch
- Implement network segmentation to isolate systems running vulnerable Bentley View versions from critical assets.
- Apply the principle of least privilege to user accounts that must use Bentley View to limit potential damage from exploitation.
🔍 How to Verify
Check if Vulnerable:
Check Bentley View version by opening the application and navigating to Help > About Bentley View. If version is 10.15.0.75 or earlier, the system is vulnerable.Check Version:
In Bentley View: Help > About Bentley ViewVerify Fix Applied:
After patching, verify the version shows 10.16.0.80 or later in Help > About Bentley View. Test with known safe DGN files to ensure functionality is maintained.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Bentley View executable
- Multiple failed attempts to open corrupted DGN files
- Unexpected network connections originating from Bentley View process
Network Indicators:
- Outbound connections from Bentley View to unknown external IPs
- Unusual DNS queries for command and control domains from systems running Bentley View
SIEM Query:
Process Creation where Image contains 'bentley' AND (CommandLine contains '.dgn' OR ParentImage contains 'explorer.exe')