CVE-2021-46566
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Bentley MicroStation CONNECT installations by tricking users into opening malicious JT files. The flaw exists in improper memory initialization during JT file parsing, enabling code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Malicious actors deliver malware or ransomware through spear-phishing campaigns using crafted JT files, compromising individual workstations.
If Mitigated
Limited impact with proper application whitelisting, file type restrictions, and user awareness training preventing malicious file execution.
🎯 Exploit Status
Requires user interaction (opening malicious file) but exploitation is straightforward once the file is opened. ZDI-CAN-15027 indicates professional vulnerability research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.1.0 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley's official site. 2. Run installer with administrative privileges. 3. Restart system after installation completes.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with MicroStation to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application
Block JT files at perimeter
allConfigure email gateways and web filters to block .jt file attachments
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables from running
- Train users to avoid opening JT files from untrusted sources and enable macro/file execution warnings
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About MicroStation. If version is 10.16.0.80 or earlier, system is vulnerable.Check Version:
Not applicable - check via GUI in MicroStation applicationVerify Fix Applied:
Verify version is 10.16.1.0 or later in Help > About MicroStation dialog.📡 Detection & Monitoring
Log Indicators:
- Process creation events for MicroStation with suspicious parent processes
- File access events for .jt files from unusual locations
Network Indicators:
- Downloads of .jt files from external sources
- Outbound connections from MicroStation process to unknown IPs
SIEM Query:
Process creation where Image contains 'ustation.exe' AND ParentImage NOT IN ('explorer.exe', 'cmd.exe')