CVE-2021-46609
📋 TL;DR
CVE-2021-46609 is a use-after-free vulnerability in Bentley MicroStation CONNECT's PDF parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious PDF files, potentially compromising affected systems. Users of Bentley MicroStation CONNECT version 10.16.0.80 are affected.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected MicroStation installation and potentially the underlying operating system.
Likely Case
Attacker executes arbitrary code in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
If Mitigated
If proper controls are in place, exploitation is prevented through patching, application whitelisting, or network segmentation, limiting impact to isolated systems.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious PDF) but is otherwise straightforward. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-15403).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.02.58 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0003
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website or through the Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable PDF file association
windowsPrevent MicroStation from automatically opening PDF files by changing file associations
Control Panel > Default Programs > Associate a file type or protocol with a program > Change .pdf to open with a different application
Application control policy
windowsImplement application whitelisting to prevent execution of unauthorized PDF files
Use Windows AppLocker or similar solution to restrict PDF execution
🧯 If You Can't Patch
- Implement network segmentation to isolate MicroStation systems from critical infrastructure
- Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version by opening the application and navigating to Help > About MicroStationCheck Version:
Not applicable - check through application GUIVerify Fix Applied:
Verify the version is 10.16.02.58 or later in Help > About MicroStation📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from MicroStation executable
- Multiple failed PDF parsing attempts in application logs
- Unexpected network connections from MicroStation process
Network Indicators:
- Outbound connections from MicroStation to unexpected external IPs
- Unusual DNS queries from systems running MicroStation
SIEM Query:
Process Creation where (Image contains 'ustation.exe' OR ParentImage contains 'ustation.exe') AND CommandLine contains '.pdf'