CVE-2022-28644: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28644 is a vulnerability discovered in Bentley MicroStation CONNECT 10.16.02.34 that allows remote attackers to execute arbitrary code. The vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page. The flaw exists within the parsing of DGN files, where crafted data can trigger a write past the end of an allocated buffer (Zero Day Initiative, Vendor Advisory).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) with a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists within the parsing of DGN files, where crafted data can trigger a write past the end of an allocated buffer. This vulnerability affects MicroStation CONNECT versions up to (excluding) 10.16.03 (Zero Day Initiative).

When successfully exploited, this vulnerability allows attackers to execute code in the context of the current process, potentially leading to complete system compromise. The high CVSS score reflects the severity of potential impacts on confidentiality, integrity, and availability of the affected system (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should upgrade to MicroStation version 10.16.03 or later. As a general best practice, it is recommended to only open DGN files from trusted sources (Vendor Advisory).