CVE-2021-46645
📋 TL;DR
This is a buffer overflow vulnerability in Bentley MicroStation CONNECT's BMP image parser that allows remote code execution. Attackers can exploit it by tricking users into opening malicious BMP files or visiting malicious web pages. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer in the context of the current user.
Likely Case
Arbitrary code execution leading to malware installation, data theft, or ransomware deployment.
If Mitigated
Limited impact if proper application sandboxing, least privilege, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. The vulnerability is well-documented and part of ZDI's disclosure program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.1.0 and later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0002
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website or through the CONNECT Services Manager. 2. Run the installer with administrative privileges. 3. Restart the application and any related services.
🔧 Temporary Workarounds
Block BMP file extensions
windowsPrevent MicroStation from processing BMP files via file extension blocking.
Use Group Policy or endpoint protection to block .bmp files from opening in MicroStation
Application sandboxing
windowsRun MicroStation in a sandboxed environment to limit potential damage.
Configure Windows Sandbox or third-party application containment solutions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MicroStation workstations
- Apply least privilege principles and disable unnecessary file format support
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About. If version is 10.16.0.80 or earlier, the system is vulnerable.Check Version:
In MicroStation: Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\Bentley\MicroStation\10.0\VersionVerify Fix Applied:
Verify version is 10.16.1.0 or later and test with known safe BMP files to ensure parsing works correctly.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing BMP files
- Unexpected process creation from MicroStation
Network Indicators:
- Downloads of BMP files from untrusted sources
- Outbound connections from MicroStation to suspicious IPs
SIEM Query:
Process Creation where Image contains 'ustation.exe' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.bmp'