CVE-2021-46603
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow in Bentley MicroStation CONNECT's J2K image parser. Attackers can achieve remote code execution by tricking users into opening malicious J2K files or visiting malicious web pages. Users of affected Bentley MicroStation CONNECT versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution in the context of the current user, allowing attackers to install malware, steal sensitive data, or use the system as a foothold for further attacks.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the application's process space.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file or visiting malicious page). The vulnerability is well-documented and was assigned ZDI-CAN-15397.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.80 or later (check vendor for specific fixed version)
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0006
Restart Required: Yes
Instructions:
1. Download the latest version from Bentley's official website. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable J2K file association
windowsRemove J2K file type association with MicroStation to prevent automatic opening of malicious files.
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .j2k > Change program > Choose another program
Application sandboxing
windowsRun MicroStation in a sandboxed environment to limit potential damage from exploitation.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MicroStation systems from critical assets
- Deploy application control policies to prevent execution of unauthorized binaries from MicroStation process
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About MicroStation. If version is 10.16.0.80 or earlier, the system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is updated to 10.16.0.80 or later in Help > About MicroStation and test opening legitimate J2K files.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing J2K files
- Unusual process creation from MicroStation executable
- Memory access violation errors in application logs
Network Indicators:
- Downloads of J2K files from untrusted sources
- Outbound connections from MicroStation to unknown IPs
SIEM Query:
Process Creation where Parent Process Name contains 'MicroStation' AND (Command Line contains '.j2k' OR Image contains suspicious patterns)