CVE-2021-34889: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability was discovered in Bentley View's 3DS file parsing functionality (CVE-2021-34889). The vulnerability was disclosed on December 8, 2021, and affects versions of Bentley View prior to 10.16.02.*. The issue stems from improper validation of user-supplied data when parsing 3DS files (Bentley Advisory, ZDI Advisory).

The vulnerability is an out-of-bounds read issue that occurs during the parsing of 3DS files. The specific flaw exists due to lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 score of 3.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) (ZDI Advisory).

This vulnerability allows attackers to disclose sensitive information on affected installations of Bentley View. The vulnerability requires user interaction, specifically that the target must open a malicious file. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.02.* to address this vulnerability. Users are recommended to update to the latest version of the software. As a general best practice, Bentley also recommends only opening 3DS files from trusted sources (Bentley Advisory).