CVE-2021-46633
📋 TL;DR
This is a use-after-free vulnerability in Bentley MicroStation CONNECT's PDF parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files, potentially compromising affected systems. Users of Bentley MicroStation CONNECT 10.16.0.80 are affected.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected MicroStation installation and potentially the underlying system.
Likely Case
Attacker executes arbitrary code in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.
If Mitigated
Limited impact if proper application sandboxing, least privilege principles, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. ZDI advisory suggests weaponization is likely given the nature of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.02.58 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0003
Restart Required: Yes
Instructions:
1. Download latest MicroStation CONNECT update from Bentley's official site. 2. Run installer with administrative privileges. 3. Restart system after installation completes.
🔧 Temporary Workarounds
Disable PDF file association
windowsPrevent MicroStation from automatically opening PDF files by changing file associations
Control Panel > Default Programs > Associate a file type or protocol with a program > Change .pdf to open with different application
Implement application control
windowsUse Windows AppLocker or similar to restrict MicroStation from executing untrusted PDF files
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MicroStation systems
- Apply principle of least privilege - run MicroStation with minimal user permissions
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About. If version is exactly 10.16.0.80, system is vulnerable.Check Version:
In MicroStation: Help > About MicroStation CONNECTVerify Fix Applied:
Verify version is 10.16.02.58 or later via Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of MicroStation
- Suspicious child processes spawned from MicroStation
- Unusual file access patterns from MicroStation process
Network Indicators:
- Outbound connections from MicroStation to unknown external IPs
- DNS requests for suspicious domains from MicroStation host
SIEM Query:
Process Creation where ParentImage contains 'MicroStation' AND (CommandLine contains '.pdf' OR Image contains suspicious patterns)