CVE-2021-46650: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46650) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022. The vulnerability exists within the parsing of DGN files and requires user interaction to exploit, specifically requiring the target to visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability stems from a lack of proper validation of user-supplied data during DGN file parsing, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NVD with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while Zero Day Initiative assigned it a lower score of 3.3 (LOW) with vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation CONNECT. As a general best practice, it is recommended to only open DGN files coming from trusted sources (Bentley Advisory).