CVE-2022-28306: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28306 is a remote code execution vulnerability discovered in Bentley MicroStation CONNECT version 10.16.02.034 and prior versions. The vulnerability was disclosed on April 12, 2022, affecting both MicroStation and Bentley View applications. The flaw exists within the parsing of OBJ files, where lack of proper validation of user-supplied data length before copying to a fixed-length stack-based buffer creates a security risk (ZDI Advisory).

The vulnerability is a stack-based buffer overflow (CWE-121) that occurs during OBJ file parsing. The specific issue stems from insufficient validation of the length of user-supplied data before it is copied to a fixed-length stack-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (ZDI Advisory, Bentley Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the current process. This means an attacker could potentially gain the same privileges as the application running the vulnerable code, leading to complete system compromise (ZDI Advisory).

Bentley has released version 10.16.03.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As an additional security measure, users should only open OBJ files from trusted sources (Bentley Advisory).