CVE-2021-46605
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Bentley MicroStation installations by tricking users into opening malicious BMP image files. The flaw exists in improper length validation when parsing BMP images, leading to heap-based buffer overflow. Users of Bentley MicroStation CONNECT 10.16.0.80 are affected.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes arbitrary code in the context of the current user, potentially installing malware, stealing sensitive project data, or using the system as a foothold for further attacks.
If Mitigated
If proper controls are in place, the impact is limited to the user's privileges and sandboxed environment, with potential data loss but limited system-wide compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and weaponization is likely given the RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.02.58 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0002
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Block BMP file processing
windowsConfigure MicroStation to block or warn when opening BMP files
Not applicable - configure through MicroStation settings
Restrict file associations
windowsChange default file associations to prevent automatic opening of BMP files in MicroStation
Control Panel > Default Programs > Associate a file type or protocol with a program
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Use network segmentation to isolate MicroStation systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About MicroStation. If version is exactly 10.16.0.80, the system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is 10.16.02.58 or later in Help > About MicroStation, then test opening a BMP file to ensure proper parsing.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes when opening BMP files
- Unusual child processes spawned from MicroStation
Network Indicators:
- Outbound connections from MicroStation to unknown IPs
- DNS queries for suspicious domains after BMP file processing
SIEM Query:
Process Creation where ParentImage contains 'MicroStation' AND (CommandLine contains '.bmp' OR Image contains suspicious patterns)