CVE-2021-46604 in MicroStation CONNECT
Summary
by MITRE • 02/18/2022
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNG images. Crafted data in a PNG image can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15398.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2022
This vulnerability represents a critical buffer overflow condition affecting Bentley MicroStation CONNECT version 10.16.0.80 which allows remote code execution through crafted PNG image files. The flaw occurs during the parsing of PNG image format data where maliciously constructed image files can cause the application to write beyond the boundaries of allocated memory buffers. This type of vulnerability falls under CWE-121 which specifically addresses stack-based buffer overflow conditions, though the actual implementation likely involves heap-based memory corruption given the nature of image processing operations. The vulnerability requires user interaction to be exploited, meaning that targets must either visit a malicious webpage hosting the crafted PNG file or open the malicious file directly within the application context.
The technical exploitation mechanism leverages the PNG image parsing engine within MicroStation's image handling components where insufficient bounds checking occurs during buffer allocation and data copying operations. When a malformed PNG image is processed, the application fails to properly validate the size parameters of image data chunks, leading to memory corruption that can be manipulated to overwrite adjacent memory locations. This type of vulnerability creates an ideal attack surface for privilege escalation since the malicious code executes within the context of the current process, inheriting all permissions and capabilities of the running MicroStation instance. The vulnerability's classification aligns with ATT&CK technique T1059.007 which covers scripting languages and T1203 which addresses exploitation for execution through web-based attacks.
The operational impact of this vulnerability extends beyond simple remote code execution as it enables attackers to potentially gain persistent access to systems running affected versions of Bentley MicroStation. Since the application is commonly used in engineering and design environments where users frequently open various file types, the attack surface is substantial and includes not only direct web-based attacks but also social engineering campaigns targeting CAD professionals. The vulnerability affects organizations that rely heavily on design and drafting software, making it particularly dangerous in industrial control systems and infrastructure planning environments. Organizations using MicroStation in networked environments face increased risk since a single compromised image file can potentially affect multiple users across shared networks or file servers.
Mitigation strategies should focus on immediate patching of affected systems with the vendor-provided security updates while implementing additional defensive measures such as restricting user access to potentially malicious file types through content filtering solutions. Network-based intrusion detection systems should be configured to monitor for suspicious PNG file transfers and web traffic patterns associated with known exploit signatures. Users should be educated about the risks of opening untrusted image files and the importance of maintaining updated software versions. Additionally, implementing application whitelisting policies can prevent execution of unauthorized code even if exploitation occurs, while regular security assessments should verify that no other applications within the environment contain similar buffer overflow vulnerabilities. Organizations should also consider deploying sandboxing solutions for image processing operations to isolate potential exploits from critical system resources.