CVE-2021-46562
📋 TL;DR
CVE-2021-46562 is an out-of-bounds read vulnerability in Bentley MicroStation CONNECT's JT file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious JT files, potentially compromising the entire system. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Local privilege escalation leading to installation of malware, data exfiltration, or persistence mechanisms on the affected workstation.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash without code execution.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. Weaponization likely due to RCE potential and file format vulnerabilities being commonly exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.1.0 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT version from Bentley's official site. 2. Run installer with administrative privileges. 3. Follow installation wizard. 4. Restart computer after installation completes.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with MicroStation to prevent automatic opening
Windows: Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose different application
Application control policy
allBlock execution of MicroStation from untrusted locations or user directories
🧯 If You Can't Patch
- Implement strict email filtering to block JT attachments from untrusted sources
- Use application sandboxing or virtualization for MicroStation execution
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About. If version is 10.16.0.80 or earlier, system is vulnerable.Check Version:
Windows: wmic product where name="MicroStation CONNECT" get versionVerify Fix Applied:
Verify version is 10.16.1.0 or later in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Application crashes with JT file processing
- Unusual process creation from MicroStation executable
- Failed file parsing attempts in application logs
Network Indicators:
- JT file downloads from suspicious sources
- Outbound connections from MicroStation to unknown IPs post-file opening
SIEM Query:
process_name:"ustation.exe" AND (event_id:1000 OR event_id:1001) OR file_extension:".jt" AND source_ip:[suspicious_ips]