CVE-2022-28302: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28302 is a vulnerability discovered in Bentley MicroStation CONNECT 10.16.02.34 that allows remote attackers to execute arbitrary code. The vulnerability was reported on February 9, 2022, and publicly disclosed on April 12, 2022. The vulnerability affects MicroStation CONNECT and Bentley View versions up to (excluding) 10.16.03 (ZDI Advisory, Bentley Advisory).

The vulnerability exists within the parsing of IFC files and is classified as an Out-of-Bounds Read (CWE-125). When parsing IFC files, crafted data can trigger a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates that the vulnerability can lead to a complete compromise of the system's confidentiality, integrity, and availability, though user interaction is required (ZDI Advisory).

Bentley has issued an update to correct this vulnerability. Users should upgrade to MicroStation and Bentley View version 10.16.03 or later. As a general best practice, it is recommended to only open IFC files from trusted sources (Bentley Advisory).