CVE-2021-46635
📋 TL;DR
CVE-2021-46635 is a buffer overflow vulnerability in Bentley MicroStation CONNECT's DGN file parser that allows remote code execution. Attackers can exploit this by tricking users into opening malicious DGN files, potentially compromising affected systems. Users of Bentley MicroStation CONNECT version 10.16.0.80 are primarily affected.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected workstation, potentially leading to lateral movement within the network.
Likely Case
Local privilege escalation or malware installation on the user's system, data theft, or ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, application sandboxing, and user awareness training preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction but the vulnerability is well-documented and was disclosed through ZDI. Weaponization is likely given the RCE potential.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 10.16.02.34 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0009
Restart Required: Yes
Instructions:
1. Download the latest version from Bentley's official website or update through Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict DGN file handling
windowsConfigure system to open DGN files with alternative software or in sandboxed environments
Use Windows Group Policy to modify file associations for .dgn files
Application control policies
windowsImplement application whitelisting to prevent unauthorized execution of MicroStation
Configure Windows AppLocker or similar application control solution
🧯 If You Can't Patch
- Implement network segmentation to isolate MicroStation workstations from critical systems
- Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About menu or examine installed programs in Control PanelCheck Version:
wmic product where name="MicroStation CONNECT" get versionVerify Fix Applied:
Verify version is 10.16.02.34 or later in Help > About menu📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from MicroStation executable
- Multiple failed DGN file parsing attempts
- Abnormal memory usage patterns in MicroStation process
Network Indicators:
- External downloads of DGN files from untrusted sources
- Unusual outbound connections from MicroStation workstations
SIEM Query:
source="windows" AND process_name="ustation.exe" AND (event_id=4688 OR event_id=1) AND parent_process!="explorer.exe"