CVE-2021-46568 – This is a buffer overflow vulnerability in Bent... (How to Fix)

Q: What is the severity of CVE-2021-46568?

CVE-2021-46568 has a CVSS score of 7.8 (HIGH). This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution. Attackers can exploit it by tricking users into opening malicious JT files, potentially taking control of the affected system. Users of vulnerable Bentley MicroStation CONNECT installations are affected.

📋 TL;DR

This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution. Attackers can exploit it by tricking users into opening malicious JT files, potentially taking control of the affected system. Users of vulnerable Bentley MicroStation CONNECT installations are affected.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: Version 10.16.0.80 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with JT file parsing capability are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the workstation, potentially leading to lateral movement within the network, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation leading to installation of malware, data exfiltration, or persistence mechanisms on the compromised workstation.

🟢

If Mitigated

Limited impact due to application sandboxing or restricted user privileges, potentially resulting in application crash rather than full compromise.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but could be delivered via email attachments or compromised websites.

🏢 Internal Only: HIGH - Internal users frequently exchange engineering files, making social engineering attacks more likely to succeed within organizations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but the vulnerability itself is straightforward - crafted JT file triggers buffer overflow. ZDI advisory suggests reliable exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 10.16.1.0 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest MicroStation CONNECT update from Bentley's official website or through Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.

🔧 Temporary Workarounds

Disable JT file association

windows

Remove JT file type association with MicroStation to prevent automatic opening

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application

Implement application whitelisting

all

Restrict execution of MicroStation to trusted locations only

🧯 If You Can't Patch

Implement strict email filtering to block JT attachments
Use application sandboxing or virtualization for MicroStation execution

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version: Open MicroStation > Help > About > Check if version is 10.16.0.80 or earlier

Check Version:

On Windows: wmic product where name="MicroStation" get version

Verify Fix Applied:

Verify version is 10.16.1.0 or later in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

Application crashes with access violation errors
Unexpected child processes spawned from MicroStation
Unusual file access patterns from MicroStation process

Network Indicators:

Outbound connections from MicroStation to unknown IPs
DNS queries for suspicious domains from workstation running MicroStation

SIEM Query:

Process Creation where Image contains "MicroStation" and CommandLine contains ".jt"

📊 Metadata

CVE ID: CVE-2021-46568

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-155/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-155/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46568, you might also want to check these: