CVE-2021-46625

Vulnerability

The vulnerability exists in Bentley View 10.15.0.75 within the handling of JT files. The flaw is a use-after-free caused by the lack of validating an object's existence before performing further free operations. This allows an attacker to remotely execute arbitrary code on an affected installation. The issue is part of a larger set of vulnerabilities in MicroStation and MicroStation-based applications documented in BE-2021-0005 [1] and ZDI-22-212 [2].

Exploitation

Exploitation requires user interaction: the target must visit a malicious page or open a maliciously crafted JT file. An attacker can leverage the double-free or use-after-free condition in the JT file parsing code path. The attacker needs to craft a JT file that triggers the free operation on an already-freed object, then control the freed memory to achieve code execution [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process (Bentley View). This can lead to full compromise of the victim's system, including confidentiality, integrity, and availability impacts, as reflected by the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1][2].

Mitigation

Bentley published advisory BE-2021-0005 on 2021-12-07, recommending users upgrade to the latest version of MicroStation and MicroStation-based applications, including Bentley View. The fix addresses the use-after-free vulnerability in JT file parsing. Users should ensure they have applied the update released for their product [1]. As of the advisory date, no workaround is provided other than upgrading. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalogue.