CVE-2022-28310: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28310 is a remote code execution vulnerability affecting Bentley MicroStation CONNECT version 10.16.02.034 and prior versions. The vulnerability was discovered in January 2022 and publicly disclosed in April 2022. The flaw exists within the parsing of SKP files and affects both MicroStation and MicroStation-based applications like Bentley View (ZDI Advisory, Bentley Advisory).

The vulnerability stems from a use-after-free condition in the SKP file parsing functionality. The specific flaw results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability, though user interaction is required as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Bentley has released version 10.16.03 and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open SKP files coming from trusted sources (Bentley Advisory).