CVE-2022-28314 – This is a buffer overflow vulnerability in Bent... (How to Fix)

Q: What is the severity of CVE-2022-28314?

CVE-2022-28314 has a CVSS score of 7.8 (HIGH). This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to run arbitrary code with the same privileges as the current user. Users of affected Bentley MicroStation versions are at risk.

📋 TL;DR

This is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to run arbitrary code with the same privileges as the current user. Users of affected Bentley MicroStation versions are at risk.

💻 Affected Systems

Products:

Bentley MicroStation CONNECT

Versions: 10.16.02.34 and earlier versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with IFC file support enabled are vulnerable. IFC (Industry Foundation Classes) is a common format in BIM/CAD workflows.

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration or malware installation on the affected workstation.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, potentially containing the exploit to a single workstation.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, downloads, or compromised websites.

🏢 Internal Only: HIGH - Internal users frequently share IFC files for collaboration, making social engineering attacks effective within organizations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious IFC file. The vulnerability is well-documented with public advisories, increasing likelihood of weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.02.35 and later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006

Restart Required: Yes

Instructions:

1. Download the latest version from Bentley's official website or update through Bentley CONNECTION Client. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.

🔧 Temporary Workarounds

Disable IFC file association

windows

Remove IFC file type association with MicroStation to prevent automatic opening

Windows: Control Panel > Default Programs > Associate a file type or protocol with a program > Remove .ifc association

Implement application whitelisting

all

Restrict execution of MicroStation to trusted locations only

🧯 If You Can't Patch

Implement strict email filtering to block IFC attachments from untrusted sources
Use network segmentation to isolate MicroStation workstations from critical systems

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About. If version is 10.16.02.34 or earlier, the system is vulnerable.

Check Version:

In MicroStation: Help > About or check program properties in Windows

Verify Fix Applied:

Verify version is 10.16.02.35 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

Application crashes in MicroStation with IFC file processing
Unusual process creation from MicroStation executable

Network Indicators:

Unexpected outbound connections from MicroStation workstations
IFC file downloads from untrusted sources

SIEM Query:

EventID=1000 OR EventID=1001 Source='MicroStation' AND (Keywords='IFC' OR Keywords='crash')

📊 Metadata

CVE ID: CVE-2022-28314

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-605/ Third Party Advisory,VDB Entry
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-605/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28314, you might also want to check these: