CVE-2021-46617
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Bentley MicroStation CONNECT installations by tricking users into opening malicious TIF image files. The flaw exists in improper memory initialization during TIF parsing, enabling code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code with the privileges of the current user, potentially installing malware, stealing sensitive project data, or establishing persistence on the system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than code execution.
🎯 Exploit Status
Exploitation requires user interaction but is technically straightforward once malicious file is opened. No authentication required for the exploit itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.80 or later patched versions
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0015
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT version from Bentley website. 2. Run installer with administrative privileges. 3. Restart system after installation completes.
🔧 Temporary Workarounds
Disable TIF file association
windowsPrevent MicroStation from automatically opening TIF files by changing file associations
Control Panel > Default Programs > Associate a file type or protocol with a program > Change .tif association to another application
Application sandboxing
allRun MicroStation in restricted environment to limit potential damage
🧯 If You Can't Patch
- Implement strict file type filtering to block TIF files at email gateways and web proxies
- Educate users to never open TIF files from untrusted sources and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About. If version is 10.16.0.80 or earlier, system is vulnerable.Check Version:
In MicroStation: Help > About or check program properties in WindowsVerify Fix Applied:
Verify version is updated beyond 10.16.0.80 and test opening known safe TIF files to ensure functionality remains.📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening TIF files
- Unusual process spawning from MicroStation
- Memory access violation errors in application logs
Network Indicators:
- Downloads of TIF files from suspicious sources
- Outbound connections from MicroStation to unknown IPs
SIEM Query:
source="*microstation*" AND (event_type="crash" OR process_name="*tif*")