CVE-2021-46592
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Bentley MicroStation CONNECT installations by tricking users into opening malicious 3DS files. The flaw exists in how the software parses 3DS files without properly validating object existence before operations. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code in the context of the current user, potentially installing malware, stealing sensitive project data, or establishing persistence on the system.
If Mitigated
If proper controls are in place, impact is limited to the user's privileges and contained within security boundaries, though data loss or limited system access may still occur.
🎯 Exploit Status
User interaction required (opening malicious file), but exploitation is straightforward once the user is tricked. The vulnerability was disclosed through ZDI-CAN-15386.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version later than 10.16.0.80
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0004
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes. 4. Verify the update was successful by checking the version number.
🔧 Temporary Workarounds
Block 3DS file extensions
windowsPrevent MicroStation from processing potentially malicious 3DS files by blocking the file extension at the system or application level.
Windows: Use Group Policy or registry to block .3ds file associations
Restrict file opening privileges
allLimit which users can open 3DS files in MicroStation to reduce attack surface.
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Use network segmentation to isolate MicroStation systems from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version: Open MicroStation, go to Help > About, verify version is 10.16.0.80 or earlier.Check Version:
In MicroStation: Help > AboutVerify Fix Applied:
After updating, verify version is later than 10.16.0.80 in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Failed 3DS file parsing attempts
- Unexpected process creation from MicroStation
- Crash logs related to 3DS file handling
Network Indicators:
- Downloads of 3DS files from untrusted sources
- Outbound connections from MicroStation to suspicious IPs
SIEM Query:
Process creation where parent process contains 'MicroStation' AND (command line contains '.3ds' OR destination IP is suspicious)