CVE-2021-34880: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

Bentley View version 10.15.0.75 contains a remote code execution vulnerability (CVE-2021-34880) that affects the parsing of 3DS files. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on December 8, 2021. This vulnerability allows remote attackers to execute arbitrary code on affected installations, though user interaction is required to exploit it by opening a malicious file (ZDI Advisory).

The vulnerability exists within the parsing of 3DS files. Specifically, crafted data in a 3DS file can trigger a read past the end of an allocated buffer (out-of-bounds read). The vulnerability has been assigned a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with local access required and user interaction needed (Bentley Advisory).

An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process. This could potentially allow complete control over the affected system if successfully exploited (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. Users are recommended to update to the latest version of the software. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources (Bentley Advisory).