CVE-2021-46636: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2021-46636) was discovered in Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability exists within the parsing of DGN files, where crafted data can trigger a read past the end of an allocated buffer. This vulnerability requires user interaction, specifically that the target must visit a malicious page or open a malicious file (Zero Day Initiative, Vendor Advisory).

The vulnerability is tracked as CVE-2021-46636 with a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the parsing of DGN files where crafted data can trigger a read past the end of an allocated buffer. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. Given the high CVSS score and the potential for code execution, this vulnerability could lead to complete system compromise if exploited (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation and MicroStation-based applications. As a general best practice, it is recommended to only open DGN files from trusted sources (Vendor Advisory).