CVE-2021-46588 – This is a use-after-free vulnerability in Bentl... (How to Fix)

Q: What is the severity of CVE-2021-46588?

CVE-2021-46588 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Bentley MicroStation CONNECT that allows remote code execution when parsing malicious JT files. Attackers can exploit it by tricking users into opening specially crafted files, potentially compromising systems running the vulnerable software.

📋 TL;DR

This is a use-after-free vulnerability in Bentley MicroStation CONNECT that allows remote code execution when parsing malicious JT files. Attackers can exploit it by tricking users into opening specially crafted files, potentially compromising systems running the vulnerable software.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: 10.16.0.80 and earlier versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations running affected versions are vulnerable when processing JT files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary code execution within the context of the MicroStation process, potentially allowing file system access and further exploitation.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the application.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, downloads, or compromised websites.

🏢 Internal Only: HIGH - Internal users frequently exchange engineering files, making social engineering attacks more likely to succeed within organizations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction but no authentication. The vulnerability is well-documented and was assigned ZDI-CAN-15382.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 10.16.0.80

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download and install the latest MicroStation CONNECT update from Bentley's official website. 2. Restart the application and any related services. 3. Verify the update was successful by checking the version number.

🔧 Temporary Workarounds

Restrict JT file handling

windows

Configure system to open JT files with alternative applications or block JT file execution in MicroStation

Use Windows Group Policy to modify file associations for .jt files
Implement application control policies to restrict MicroStation from opening untrusted JT files

User awareness training

all

Educate users about the risks of opening untrusted engineering files

🧯 If You Can't Patch

Implement application sandboxing or virtualization for MicroStation
Restrict user privileges to limit potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version: Open MicroStation, go to Help > About, verify version is 10.16.0.80 or earlier.

Check Version:

On Windows: Check application properties or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Bentley\MicroStation

Verify Fix Applied:

After updating, verify version is newer than 10.16.0.80 in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing JT files
Unexpected process creation from MicroStation
Memory access violations in application logs

Network Indicators:

Downloads of JT files from untrusted sources
Unusual outbound connections from MicroStation process

SIEM Query:

Process Creation where Image contains 'ustation' AND CommandLine contains '.jt'

📊 Metadata

CVE ID: CVE-2021-46588

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-175/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-175/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46588, you might also want to check these: