CVE-2022-43653
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious SKP files in Bentley View. Attackers can exploit an out-of-bounds write during SKP file parsing to gain code execution in the current process context. All users running vulnerable versions of Bentley View are affected.
💻 Affected Systems
- Bentley View
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious actor gains code execution at the user's privilege level, enabling data exfiltration, credential theft, or installation of persistent malware.
If Mitigated
With proper controls, exploitation is limited to user-level access only, preventing system-wide compromise but still allowing data theft from the user's context.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability itself is unauthenticated. The ZDI advisory suggests weaponization is likely given the nature of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Bentley Systems advisory for specific patched version
Vendor Advisory: https://www.bentley.com/
Restart Required: Yes
Instructions:
1. Visit Bentley Systems official website
2. Check for security advisories related to CVE-2022-43653
3. Download and install the latest patched version of Bentley View
4. Restart the application and system if required
🔧 Temporary Workarounds
Disable SKP file association
allRemove Bentley View as the default handler for SKP files to prevent automatic opening
Windows: Control Panel > Default Programs > Set Associations > Remove .skp association with Bentley View
Linux/macOS: Update mime types to not associate .skp with Bentley View
Application control blocking
allUse application control solutions to block execution of Bentley View from untrusted locations
🧯 If You Can't Patch
- Implement strict file type filtering to block SKP files at email gateways and web proxies
- Educate users to never open SKP files from untrusted sources and disable automatic file opening
🔍 How to Verify
Check if Vulnerable:
Check Bentley View version against patched version in vendor advisoryCheck Version:
Bentley View: Help > About or check application propertiesVerify Fix Applied:
Verify installed version matches or exceeds the patched version specified in Bentley's advisory📡 Detection & Monitoring
Log Indicators:
- Multiple failed SKP file parsing attempts
- Unexpected Bentley View crashes with memory access violations
- Process creation from Bentley View with unusual command lines
Network Indicators:
- Downloads of SKP files from untrusted sources
- Outbound connections from Bentley View to suspicious IPs
SIEM Query:
Process: 'Bentley View' AND (EventID: 1000 OR EventID: 1001) AND ExceptionCode: 0xC0000005