CVE-2022-28646
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious IFC files in Bentley MicroStation CONNECT. The flaw is a buffer overflow in IFC file parsing that can lead to full system compromise. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes arbitrary code with the privileges of the current user, potentially installing malware, stealing sensitive data, or using the system as a foothold for further attacks.
If Mitigated
If proper controls like application whitelisting and user privilege restrictions are in place, impact is limited to the user's privileges and contained within the application sandbox.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the technical complexity is low once the malicious file is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.2.035 or later
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006
Restart Required: Yes
Instructions:
1. Download and install Bentley MicroStation CONNECT version 10.16.2.035 or later from Bentley's official website. 2. Restart the system after installation. 3. Verify the update was successful by checking the version number.
🔧 Temporary Workarounds
Restrict IFC file handling
windowsBlock or restrict the opening of IFC files through group policy or application controls
User awareness training
allTrain users to avoid opening IFC files from untrusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Run MicroStation with least privilege accounts and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version: Open MicroStation, go to Help > About, verify version is 10.16.2.034 or earlierCheck Version:
Not applicable - check via GUI in Help > About menuVerify Fix Applied:
After patching, verify version is 10.16.2.035 or later in Help > About📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of MicroStation
- Unusual file access patterns to IFC files
- Suspicious child processes spawned from MicroStation
Network Indicators:
- Outbound connections from MicroStation to unknown IPs
- Unexpected DNS queries from the application
SIEM Query:
Process Creation where Parent Process Name contains 'MicroStation' AND (Command Line contains '.ifc' OR Image contains suspicious patterns)