Login Sign Up

CVE-2022-1229

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-1229 is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to run arbitrary code with the privileges of the current user. Users of affected Bentley MicroStation versions are at risk.

💻 Affected Systems

Products:
  • Bentley MicroStation CONNECT
Versions: 10.16.2.034 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable when processing IFC files.

📦 What is this software?

Microstation Connect by Bentley

View all CVEs affecting Microstation Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious IFC files from untrusted sources.

🟢

If Mitigated

No impact if patched or if users avoid opening untrusted IFC files.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but these could be delivered via email or compromised websites.
🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via phishing or shared drives.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

User interaction required (opening malicious file), but exploitation is straightforward once the file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.2.035 and later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006

Restart Required: Yes

Instructions:

1. Download the latest version from Bentley's official website or update through Bentley CONNECTION Client. 2. Install the update. 3. Restart the system.

🔧 Temporary Workarounds

Block IFC file extensions

windows

Prevent opening of IFC files at the system or network level

Windows: Use Group Policy to block .ifc file execution
Email filters: Block .ifc attachments

User awareness training

all

Train users to avoid opening IFC files from untrusted sources

🧯 If You Can't Patch

  • Restrict user permissions to limit damage from successful exploitation
  • Implement application whitelisting to prevent unauthorized executables from running

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About. If version is 10.16.2.034 or earlier, system is vulnerable.

Check Version:

In MicroStation: Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\Bentley\MicroStation\10.0\Version

Verify Fix Applied:

Verify version is 10.16.2.035 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening IFC files
  • Unusual process creation from MicroStation

Network Indicators:

  • Downloads of IFC files from suspicious sources
  • Outbound connections after opening IFC files

SIEM Query:

Process creation where parent process contains 'MicroStation' AND (command line contains '.ifc' OR file path contains '.ifc')

📊 Metadata

CVE ID: CVE-2022-1229
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1229, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)