CVE-2021-46619
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files in Bentley MicroStation CONNECT. Attackers can exploit a buffer read overflow in PDF parsing to gain code execution in the current process context. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious actors deliver targeted attacks via phishing emails with malicious PDF attachments, compromising individual workstations running MicroStation.
If Mitigated
With proper email filtering, user training, and application whitelisting, exploitation attempts are blocked before reaching vulnerable software.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented through ZDI disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to MicroStation CONNECT version 10.16.1 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0003
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley's official website or through Bentley's update mechanism. 2. Close all MicroStation applications. 3. Run the installer with administrative privileges. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable PDF file association
windowsRemove MicroStation as default handler for PDF files to prevent automatic opening
Control Panel > Default Programs > Set Default Programs > Select MicroStation > Choose defaults for this program > Uncheck .pdf
Application control policy
windowsBlock execution of MicroStation from untrusted locations or user directories
🧯 If You Can't Patch
- Implement strict email filtering to block PDF attachments from untrusted sources
- Deploy endpoint detection and response (EDR) to monitor for suspicious PDF parsing behavior
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version in Help > About MicroStation; versions 10.16.0.80 or earlier are vulnerableCheck Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is 10.16.1 or later in Help > About MicroStation📡 Detection & Monitoring
Log Indicators:
- Multiple failed PDF parsing attempts in application logs
- Unexpected process creation from MicroStation executable
Network Indicators:
- Outbound connections from MicroStation to unknown IPs post-PDF opening
- DNS requests for suspicious domains after PDF processing
SIEM Query:
Process Creation where Image contains 'ustation.exe' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.pdf'