CVE-2021-46564 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-46564?

CVE-2021-46564 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JT files in Bentley MicroStation CONNECT. Attackers can exploit a buffer overflow in JT file parsing to gain code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JT files in Bentley MicroStation CONNECT. Attackers can exploit a buffer overflow in JT file parsing to gain code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: 10.16.0.80 and earlier versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with JT file parsing enabled are vulnerable. User interaction required (opening malicious file).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malware installation or data theft through user-initiated malicious file opening, potentially leading to ransomware or credential theft.

🟢

If Mitigated

Limited impact with proper user training and file restrictions, potentially only causing application crashes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction but no authentication. Weaponization likely due to ZDI publication and RCE nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.1.0 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest MicroStation CONNECT version from Bentley website
2. Run installer with administrative privileges
3. Restart system after installation completes

🔧 Temporary Workarounds

Disable JT file association

windows

Remove JT file type association with MicroStation to prevent automatic opening

Windows: Control Panel > Default Programs > Associate a file type or protocol with a program > Remove .jt association

Implement file extension filtering

all

Block JT files at email/web gateway or endpoint protection

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized executables
Train users to avoid opening JT files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version in Help > About. If version is 10.16.0.80 or earlier, system is vulnerable.

Check Version:

Windows: wmic product where name="MicroStation" get version

Verify Fix Applied:

Verify version is 10.16.1.0 or later in Help > About. Test with known safe JT files to ensure parsing works.

📡 Detection & Monitoring

Log Indicators:

Application crashes with JT file parsing errors
Unusual process creation from MicroStation executable

Network Indicators:

Downloads of JT files from suspicious sources
Outbound connections from MicroStation to unknown IPs

SIEM Query:

process_name:"ustation.exe" AND (event_id:1000 OR event_id:1001) AND file_extension:".jt"

📊 Metadata

CVE ID: CVE-2021-46564

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-151/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-151/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46564, you might also want to check these: