CVE-2021-46612
📋 TL;DR
CVE-2021-46612 is an out-of-bounds read vulnerability in Bentley MicroStation CONNECT's PDF parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files, potentially taking full control of the affected system. This affects users of Bentley MicroStation CONNECT version 10.16.0.80.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker executing arbitrary code as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation or data exfiltration from the compromised workstation, with attackers leveraging user credentials for further access.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the MicroStation process.
🎯 Exploit Status
Exploitation requires social engineering to deliver malicious PDF but no authentication. ZDI-CAN-15406 tracking suggests active research interest.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.80 or later (check Bentley for specific fixed version)
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0003
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley. 2. Install update following vendor instructions. 3. Restart system. 4. Verify version is updated.
🔧 Temporary Workarounds
Disable PDF file association
windowsPrevent MicroStation from automatically opening PDF files by changing file associations
Control Panel > Default Programs > Associate a file type or protocol with a program > Change .pdf to open with different application
Application sandboxing
windowsRun MicroStation in restricted environment to limit impact
🧯 If You Can't Patch
- Implement strict email filtering to block PDF attachments
- Use application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About. If version is exactly 10.16.0.80, system is vulnerable.Check Version:
In MicroStation: Help > About or check program propertiesVerify Fix Applied:
Verify version is updated beyond 10.16.0.80 and test opening known safe PDF files.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from MicroStation
- Multiple PDF parsing errors in application logs
- Out-of-memory errors in system logs
Network Indicators:
- Unexpected outbound connections from MicroStation process
- DNS requests to suspicious domains after PDF opening
SIEM Query:
Process Creation where ParentImage contains 'MicroStation' AND CommandLine contains '.pdf'