CVE-2021-46614
📋 TL;DR
This vulnerability in Bentley MicroStation CONNECT allows remote attackers to execute arbitrary code by tricking users into opening malicious J2K image files. The flaw is an out-of-bounds read during J2K file parsing that can lead to remote code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes arbitrary code with the privileges of the current user, potentially installing malware, stealing sensitive data, or establishing persistence on the system.
If Mitigated
Limited impact due to proper controls like application sandboxing, limited user privileges, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and was disclosed through ZDI, making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 10.16.1 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0006
Restart Required: Yes
Instructions:
1. Download the latest version from Bentley's official website or update through the application's update mechanism. 2. Install the update following Bentley's installation instructions. 3. Restart the system to ensure all components are properly updated.
🔧 Temporary Workarounds
Disable J2K file association
windowsRemove or modify file associations to prevent MicroStation from automatically opening J2K files
Control Panel > Default Programs > Associate a file type or protocol with a program > Remove .j2k association with MicroStation
Block J2K files at perimeter
allConfigure email and web gateways to block J2K file attachments
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Restrict user privileges to limit potential damage from successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About. If version is 10.16.0.80 or earlier, the system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is 10.16.1 or later in Help > About, then test opening a legitimate J2K file to ensure functionality is restored.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing J2K files
- Unexpected process creation from MicroStation
- Memory access violation errors in application logs
Network Indicators:
- Downloads of J2K files from untrusted sources
- Outbound connections from MicroStation to suspicious IPs
SIEM Query:
source="MicroStation" AND (event_type="crash" OR process_name="*j2k*")