CVE-2021-46576
📋 TL;DR
This is a remote code execution vulnerability in Bentley MicroStation CONNECT software that allows attackers to execute arbitrary code by tricking users into opening malicious JT files. The vulnerability exists due to improper bounds checking when parsing JT files, leading to a buffer overflow. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code in the context of the current user, potentially stealing sensitive design files, installing malware, or establishing persistence on the system.
If Mitigated
Limited impact due to application sandboxing, user privilege restrictions, or network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires user interaction but the vulnerability is well-documented and weaponization is likely given the RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.1.0 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website or through the Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Block JT file extensions
windowsPrevent opening of JT files at the system or network level
Using Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules > New Path Rule: Path: *.jt, Security Level: Disallowed
Disable web-based file opening
allPrevent automatic opening of JT files from web browsers
Browser settings: Disable automatic file opening for .jt extensions in all installed browsers
🧯 If You Can't Patch
- Implement application whitelisting to only allow execution of approved applications
- Restrict user privileges to standard user accounts (not administrator) to limit impact
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About MicroStation. If version is 10.16.0.80 or earlier, the system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
After updating, verify version is 10.16.1.0 or later in Help > About MicroStation.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of MicroStation.exe
- Creation of suspicious child processes from MicroStation.exe
- Unusual file access patterns to JT files
Network Indicators:
- Outbound connections from MicroStation.exe to unknown IP addresses
- Downloads of JT files from untrusted sources
SIEM Query:
Process Creation where (Image contains 'MicroStation.exe' AND CommandLine contains '.jt') OR (ParentImage contains 'MicroStation.exe' AND Image not in approved_process_list)