BE-2021-0014: Use-after-free vulnerability in MicroStation and MicroStation-based applications
Bentley ID: BE-2021-0014
CVE ID: CVE-2021-34872
Severity: 7.8
CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Publication date: 2021-12-07
Revision date: 2021-12-07
Summary
MicroStation and MicroStation-based applications may be affected by a use-after-free vulnerability when opening maliciously crafted SKP files. Exploiting this vulnerability could lead to code execution.
Details
The following vulnerability related to this advisory was discovered by TrendMicro ZDI: ZDI-CAN-14737. Using an affected version of MicroStation or MicroStation-based application to open a SKP file containing maliciously crafted data can trigger a use-after-free vulnerability. Exploitation of this vulnerability within the parsing of SKP files could enable an attacker to execute arbitrary code in the context of the current process.
Affected Versions
| Applications | Affected Versions | Mitigated Versions |
| MicroStation | Versions prior to 10.16.02.* | 10.16.02.* and more recent |
| Bentley View | Versions prior to 10.16.02.* | 10.16.02.* and more recent |
Recommended Mitigations
Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open SKP files coming from trusted sources.
Acknowledgement
Thanks to Francis Provencher {PRL} for discovering this vulnerability.
Revision History
| Date | Description |
| 2021-12-07 | First version of this advisory |
