CVE-2021-46643: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46643) affects Bentley View version 10.15.0.75 and allows remote attackers to execute arbitrary code. The vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page. The flaw exists within the parsing of DGN files and was discovered by Mat Powell of Trend Micro Zero Day Initiative (ZDI Advisory, Bentley Advisory).

The vulnerability stems from improper validation of user-supplied data length before copying it to a stack-based buffer during DGN file parsing. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) with the following vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates local access is required, low attack complexity, no privileges required, user interaction required, and high impacts on confidentiality, integrity, and availability (ZDI Advisory).

A successful exploit could allow an attacker to execute arbitrary code in the context of the current process. This means the attacker could potentially gain the same privileges as the application running the vulnerable code, allowing them to execute malicious commands, access sensitive data, or take control of the affected system (ZDI Advisory).

Bentley has released version 10.16.02 to address this vulnerability. Users are recommended to update to this or a more recent version. Additionally, as a general best practice, users should only open DGN files from trusted sources (Bentley Advisory).