CVE-2021-46601
📋 TL;DR
This vulnerability in Bentley MicroStation CONNECT allows remote attackers to execute arbitrary code by tricking users into opening malicious JT files. The flaw exists in JT file parsing where the software fails to validate object existence before operations, leading to use-after-free conditions. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Local privilege escalation or arbitrary code execution within the context of the MicroStation process, potentially allowing file system access, data exfiltration, or installation of malware.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but no authentication; weaponization likely given the nature of the vulnerability and ZDI disclosure
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.80 or later updates
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley Systems 2. Install the update following vendor instructions 3. Restart the application and system if prompted
🔧 Temporary Workarounds
Restrict JT file handling
windowsConfigure system to open JT files with alternative applications or in sandboxed environments
Use Windows Group Policy to modify file associations for .jt files
Application control
windowsImplement application whitelisting to restrict MicroStation execution to trusted locations
🧯 If You Can't Patch
- Implement strict user privilege restrictions (run MicroStation with least privilege)
- Deploy application sandboxing or virtualization for MicroStation processes
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About; versions 10.16.0.80 and earlier are vulnerableCheck Version:
In MicroStation: Help > About or check program propertiesVerify Fix Applied:
Verify version is updated to 10.16.0.80 or later; test with known safe JT files to ensure proper parsing📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected process creation from MicroStation
- Suspicious file access patterns
Network Indicators:
- Unexpected outbound connections from MicroStation process
- Downloads of JT files from untrusted sources
SIEM Query:
Process creation where parent_process contains 'MicroStation' AND (command_line contains '.jt' OR file_path contains '.jt')