BE-2022-0009: SKP File Parsing Use-After-Free vulnerabilities in MicroStation and MicroStation-based applications
Bentley ID: BE-2022-0009
CVE ID: CVE-2022-28303, CVE-2022-28310
CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Publication date: 2022-04-05
Revision date: 2022-04-05
MicroStation and MicroStation-based applications may be affected by use-after-free vulnerabilities when opening maliciously crafted SKP files. Exploiting these vulnerabilities could lead to code execution.
The following vulnerabilities related to this advisory were discovered by TrendMicro ZDI: ZDI-CAN-16280 and ZDI-CAN-16339. Using an affected version of MicroStation or MicroStation-based application to open a SKP file containing maliciously crafted data can force a use-after-free vulnerability. Exploitation of these vulnerabilities within the parsing of SKP files could enable an attacker to execute arbitrary code in the context of the current process.
|Applications||Affected Versions||Mitigated Versions|
|MicroStation||10.16.02.* and prior versions||10.16.03.* and more recent|
|Bentley View||10.16.02.* and prior versions||10.16.03.* and more recent|
Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open SKP files coming from trusted sources.
Thanks to Mat Powell of Trend Micro Zero Day Initiative for discovering these vulnerabilities.
|2022-04-05||First version of this advisory|