BE-2022-0003: 3DS File Parsing Out-Of-Bounds Read in MicroStation and MicroStation-based applications
Bentley ID: BE-2022-0003
CVE ID: CVE-2022-28308, CVE-2022-28309, CVE-2022-28312, CVE-2022-28313
Severity: 3.3 (low)
CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Publication date: 5th April 2022
Revision date: 5th April 2022
MicroStation and MicroStation-based applications may be affected by out-of-bounds read vulnerabilities when opening maliciously crafted 3DS files. Exploiting these vulnerabilities might lead to information disclosure.
The following vulnerabilities related to this advisory were discovered by TrendMicro ZDI: ZDI-CAN-16307, ZDI-CAN-16308, ZDI-CAN-16342 and ZDI-CAN-16343
Using an affected version of MicroStation or MicroStation-based application to open a 3DS file containing maliciously crafted data can force an out-of-bounds read. Exploitation of these vulnerabilities within the parsing of 3DS files could enable information disclosure in the context of the current process.
|Applications||Affected Versions||Mitigated Versions|
|MicroStation||10.16.02.* and prior version||10.16.03.* and more recent|
|Bentley View||10.16.02.* and prior version||10.16.03.* and more recent|
Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources.
Thanks to Mat Powell of Trend Micro Zero Day Initiative for discovering these vulnerabilities.
|5th April 2022||First version of the advisory|