CVE-2021-46590 – This is a buffer overflow vulnerability in Bent... (How to Fix)

Q: What is the severity of CVE-2021-46590?

CVE-2021-46590 has a CVSS score of 7.8 (HIGH). This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious JT files. Attackers can exploit this to run arbitrary code with the privileges of the current user. All users of affected MicroStation versions are vulnerable.

📋 TL;DR

This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious JT files. Attackers can exploit this to run arbitrary code with the privileges of the current user. All users of affected MicroStation versions are vulnerable.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: 10.16.0.80 and earlier versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with JT file parsing capability are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation, data exfiltration, or system disruption when users open malicious JT files.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and file validation are implemented.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious files, but could be delivered via email or web downloads.

🏢 Internal Only: HIGH - Internal users frequently exchange engineering files, making social engineering attacks effective.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious JT file. Exploit development is feasible given the buffer overflow nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.0.80 or later patched versions

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest MicroStation CONNECT update from Bentley's official site. 2. Run installer with administrative privileges. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Block JT file extensions

all

Prevent opening of JT files at the email gateway or endpoint.

Application whitelisting

windows

Restrict execution of MicroStation to trusted directories only.

🧯 If You Can't Patch

Implement strict network segmentation to isolate MicroStation systems
Enforce least privilege principles and disable unnecessary user permissions

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About. If version is 10.16.0.80 or earlier, system is vulnerable.

Check Version:

In MicroStation: Help > About or check Windows Programs and Features

Verify Fix Applied:

Verify version is updated beyond 10.16.0.80 and test opening known safe JT files.

📡 Detection & Monitoring

Log Indicators:

Application crashes of MicroStation
Unusual process creation from MicroStation

Network Indicators:

Unexpected outbound connections from MicroStation process

SIEM Query:

Process creation where parent process contains 'MicroStation' AND (command line contains '.jt' OR image loaded from suspicious location)

📊 Metadata

CVE ID: CVE-2021-46590

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-177/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-177/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46590, you might also want to check these: