CVE-2021-46629: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46629 is a vulnerability discovered in Bentley View 10.15.0.75 that allows remote attackers to disclose sensitive information. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was publicly disclosed on January 31st, 2022. The vulnerability affects Bentley View and MicroStation-based applications versions prior to 10.16.02 (Vendor Advisory, ZDI Advisory).

The vulnerability exists within the parsing of BMP images and results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. It is classified as CWE-125 (Out-of-bounds Read). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NIST NVD, while Zero Day Initiative rated it as 3.3 LOW (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) (NVD, ZDI Advisory).

The vulnerability allows attackers to disclose sensitive information on affected installations of Bentley View. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.02 and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open BMP files coming from trusted sources (Vendor Advisory).