CVE-2022-28308 in Viewinfo

Summary

by MITRE • 03/29/2023

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.16.02.022. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. Crafted data in a 3DS file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-16307.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/17/2026

The vulnerability identified as CVE-2022-28308 represents a critical security flaw in Bentley View version 10.16.02.022, a widely used desktop application for viewing and analyzing 3D design models. This issue falls under the category of buffer over-read conditions that can potentially lead to information disclosure and arbitrary code execution. The vulnerability specifically affects the application's handling of 3DS file format parsing, which is a common exchange format in the AEC (Architecture, Engineering, Construction) industry. The flaw exists within the software's memory management routines when processing malformed 3DS files, creating a scenario where an attacker can manipulate the parsing logic to access memory regions beyond the intended buffer boundaries. This vulnerability is particularly concerning given the widespread adoption of Bentley View across engineering and construction firms globally, where the application serves as a primary tool for reviewing complex 3D models and design files.

The technical implementation of this vulnerability stems from improper bounds checking during the 3DS file parsing process, which constitutes a classic buffer over-read condition classified as CWE-125. When a malicious 3DS file is processed by Bentley View, the application fails to validate the size and structure of the data segments within the file before attempting to read them into memory. This allows an attacker to craft a specially designed 3DS file that contains malformed data structures, causing the parser to read beyond the allocated memory buffer and potentially access adjacent memory regions. The vulnerability requires user interaction to be exploited, meaning that a target must either visit a malicious webpage hosting the crafted 3DS file or open the malicious file directly, making this a client-side attack vector that relies on social engineering tactics. The attack chain typically involves the user opening a malicious 3DS file, which triggers the vulnerable code path in the application's 3DS parser, leading to the buffer over-read condition.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable full system compromise. While the primary effect is read past the end of buffer conditions that can expose sensitive memory contents, the vulnerability's potential for arbitrary code execution makes it particularly dangerous in enterprise environments. Attackers can leverage this vulnerability as part of a multi-stage attack, using the information disclosure aspect to gather system details or credentials before executing more sophisticated attacks. The vulnerability affects organizations that rely heavily on 3D modeling and design software, creating a significant risk for companies in sectors such as architecture, engineering, construction, and manufacturing. The presence of this vulnerability in a widely used application like Bentley View means that a successful exploitation could potentially impact thousands of organizations worldwide, especially those that regularly exchange 3D design files with partners and clients. The attack surface is further expanded due to the common practice of sharing 3D models through email attachments, file sharing systems, and collaborative platforms where such malicious files could easily be introduced.

Organizations should implement immediate mitigations to protect against exploitation of this vulnerability, including restricting user access to potentially malicious files and ensuring that Bentley View is updated to the latest version that contains the necessary patches. The recommended approach involves disabling automatic opening of 3DS files in web browsers and email clients, implementing strict file validation policies, and conducting regular security awareness training for employees who handle 3D design files. From a defensive standpoint, this vulnerability aligns with ATT&CK technique T1203, which involves exploiting software vulnerabilities to gain access to systems, and T1059, which covers the use of command and scripting interpreters. Security teams should monitor for suspicious file access patterns and implement network segmentation to limit the potential impact of successful exploitation. The vulnerability also highlights the importance of secure coding practices in commercial software development, particularly around memory management and input validation, as outlined in various security frameworks including the OWASP Top Ten and NIST cybersecurity guidelines. Organizations should also consider implementing application whitelisting policies that restrict execution of unauthorized software, particularly in environments where 3D modeling applications are frequently used.

Reservation

03/31/2022

Disclosure

03/29/2023

Moderation

accepted

CPE

ready

EPSS

0.00613

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!