CVE-2021-34875: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34875 is a remote code execution vulnerability affecting Bentley View version 10.15.0.75. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on December 8, 2021. The vulnerability exists within the parsing of 3DS files, where crafted data can trigger a write past the end of an allocated buffer (ZDI Advisory, Bentley Advisory).

The vulnerability has a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the parsing of 3DS files, where improper validation of user-supplied data can result in a write past the end of an allocated buffer. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Bentley has released version 10.16.02 to address this vulnerability. Users are recommended to update to the latest version of the software. As a general best practice, it is also recommended to only open 3DS files from trusted sources (Bentley Advisory).