CVE-2021-34945
📋 TL;DR
CVE-2021-34945 is a heap-based buffer overflow vulnerability in Bentley View's JT file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious JT files or visiting malicious web pages. Users of affected Bentley View versions are vulnerable.
💻 Affected Systems
- Bentley View
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running Bentley View, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Attacker executes arbitrary code in the context of the current user, potentially installing malware, stealing sensitive data, or using the system as a foothold for further attacks.
If Mitigated
If proper controls are in place, impact is limited to the user's privileges and sandboxed environment, but still represents significant risk.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is well-documented and weaponization is likely given the RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.61 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download latest Bentley View version from official Bentley website. 2. Install the update. 3. Restart the application and system if prompted.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with Bentley View to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application
Block JT files at perimeter
allConfigure email gateways and web filters to block JT file attachments
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Use least privilege accounts for Bentley View users to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check Bentley View version in Help > About. If version is 10.15.0.75 or earlier, system is vulnerable.Check Version:
In Bentley View: Help > AboutVerify Fix Applied:
Verify version is 10.16.0.61 or later in Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of Bentley View
- Unusual file access patterns for JT files
- Suspicious child processes spawned from Bentley View
Network Indicators:
- Outbound connections from Bentley View to unknown IPs
- JT file downloads from untrusted sources
SIEM Query:
Process:Name='Bentley View' AND (EventID=1000 OR EventID=1001) OR FileExtension='.jt' AND SourceIP NOT IN (trusted_networks)