CVE-2021-34911: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34911 is a remote code execution vulnerability discovered in Bentley View version 10.15.0.75. The vulnerability was disclosed on December 8th, 2021, and affects the software's 3DS file parsing functionality. This security flaw allows remote attackers to execute arbitrary code on affected installations, though user interaction is required as the target must visit a malicious page or open a malicious file (Zero Day Initiative, Vendor Advisory).

The vulnerability stems from a use-after-free condition within the parsing of 3DS files. Specifically, the issue results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, user interaction required, and high impacts on confidentiality, integrity, and availability (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score reflects the severe potential impact on system security, as successful exploitation could lead to complete compromise of the affected system (Zero Day Initiative).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. The vendor recommends updating to the latest versions of MicroStation and MicroStation-based applications. As an additional security measure, users are advised to only open 3DS files from trusted sources (Vendor Advisory).