Login Sign Up

CVE-2021-46621

7.8 HIGH
Remote Code Execution

📋 TL;DR

This is a double-free vulnerability in Bentley MicroStation CONNECT's JT file parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious JT files or visiting malicious web pages. Affects users of Bentley MicroStation CONNECT 10.16.0.80 who process untrusted JT files.

💻 Affected Systems

Products:
  • Bentley MicroStation CONNECT
Versions: 10.16.0.80
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of the affected version are vulnerable when processing JT files. User interaction required (opening malicious file or visiting malicious page).

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

Microstation Connect by Bentley

View all CVEs affecting Microstation Connect →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker executing arbitrary code in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Remote code execution leading to malware installation, data exfiltration, or system disruption for users who open malicious JT files.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only application crash or denial of service.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction but has been weaponized by ZDI. Attackers need to craft malicious JT files or web content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 10.16.02.34 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest MicroStation CONNECT update from Bentley's official site. 2. Run installer with administrative privileges. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Restrict JT file processing

all

Block or restrict processing of JT files from untrusted sources

Application sandboxing

windows

Run MicroStation in restricted/sandboxed environment

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Restrict user privileges to limit potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About. If version is 10.16.0.80, system is vulnerable.

Check Version:

Not applicable - check via application GUI Help > About

Verify Fix Applied:

Verify version is 10.16.02.34 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing JT files
  • Unusual process creation from MicroStation

Network Indicators:

  • Downloads of JT files from suspicious sources
  • Outbound connections after JT file processing

SIEM Query:

Process creation where parent_process contains 'ustation.exe' AND (process contains 'cmd.exe' OR process contains 'powershell.exe')

📊 Metadata

CVE ID: CVE-2021-46621
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46621, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)