CVE-2022-28301 – This is a buffer overflow vulnerability in Bent... (How to Fix)

Q: What is the severity of CVE-2022-28301?

CVE-2022-28301 has a CVSS score of 7.8 (HIGH). This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to run arbitrary code with the privileges of the current user. Users of affected MicroStation versions who open untrusted IFC files are at risk.

📋 TL;DR

This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to run arbitrary code with the privileges of the current user. Users of affected MicroStation versions who open untrusted IFC files are at risk.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: 10.16.02.34 and earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with IFC file support enabled are vulnerable. IFC (Industry Foundation Classes) is a common format for BIM data exchange.

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, installation of backdoors, or disruption of engineering workflows.

🟢

If Mitigated

Limited impact with proper segmentation and user privilege restrictions, potentially only affecting the MicroStation process without system-wide compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and buffer overflow exploitation techniques are mature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.02.35 and later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006

Restart Required: Yes

Instructions:

1. Download the latest MicroStation CONNECT update from Bentley's official website or through the Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.

🔧 Temporary Workarounds

Disable IFC file association

windows

Remove IFC file type association with MicroStation to prevent automatic opening

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .ifc > Change program > Choose another application

Restrict IFC file execution

windows

Use application control policies to block execution of IFC files in MicroStation

🧯 If You Can't Patch

Implement strict network segmentation to isolate MicroStation systems from critical infrastructure
Apply principle of least privilege by running MicroStation with limited user accounts and disabling administrative privileges

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version in Help > About MicroStation. If version is 10.16.02.34 or earlier, the system is vulnerable.

Check Version:

In MicroStation: Help > About MicroStation

Verify Fix Applied:

Verify version is 10.16.02.35 or later in Help > About MicroStation after applying the update.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from MicroStation.exe
Multiple failed IFC file parsing attempts
Memory access violations in application logs

Network Indicators:

Unexpected outbound connections from MicroStation process
File downloads of IFC files from untrusted sources

SIEM Query:

process_name:"MicroStation.exe" AND (event_id:4688 OR parent_process_name:"explorer.exe") AND command_line:"*.ifc"

📊 Metadata

CVE ID: CVE-2022-28301

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-612/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-612/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28301, you might also want to check these: