CVE-2021-46580
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JT files in Bentley MicroStation CONNECT. Attackers can exploit improper validation during JT file parsing to run code with the same privileges as the current user. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running MicroStation, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code on the victim's machine, potentially installing malware, stealing sensitive data, or using the compromised system as a foothold for further attacks.
If Mitigated
Limited impact with proper security controls - user account isolation and application sandboxing could contain the damage to the user's session only.
🎯 Exploit Status
User interaction required (opening malicious file), but exploitation is straightforward once the malicious file is processed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.1.1 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website or through the Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with MicroStation to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application
Implement application whitelisting
allRestrict execution of MicroStation to trusted locations only
🧯 If You Can't Patch
- Implement strict email filtering to block JT attachments from untrusted sources
- Educate users to never open JT files from unknown or untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About MicroStation. If version is 10.16.0.80 or earlier, the system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is 10.16.1.1 or later in Help > About MicroStation.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of MicroStation
- Unusual file access patterns for JT files
- Security software alerts for suspicious behavior
Network Indicators:
- Downloads of JT files from suspicious sources
- Outbound connections from MicroStation process to unknown IPs
SIEM Query:
Process:MicroStation.exe AND (FileExtension:jt OR FilePath:*\*.jt) AND EventID:4688