CVE-2022-42901 MicroStation and MicroStation-based applications could be affected by out-of-bounds and stack overflow issues when opening crafted XMT files. This could lead to information disclosure and code execution.

This issue was publicly disclosed on October 11, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

VDX files created by MicroStation with the “WAVEFORM: USE WAVEFORM XMT” setting enabled may cause out-of-bounds memory access during parsing. Exploitation of this issue could lead to remote code execution. The fixed version is 10.17.01.57. This issue was publicly disclosed on October 9, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

The out-of-bounds memory access issue was also fixed in MicroStation. Users are encouraged to update their software to avoid being affected by this security issue.

When the XMFF or XMFF+ file format is used with Bentley Microstation, the saved file may cause a stack overflow due to lack of proper alignment. Exploitation of this issue may lead to remote code execution. The fixed version is 10.17.01.56. This issue was publicly disclosed on October 4, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

VDX versions and updates with no new version releases

In MicroStation 10.17.01.57, MicroStation fixed the out-of-bounds memory access issue with VDX files created with the “WAVEFORM: USE WAVEFORM XMT” setting enabled. People who have not updated their software to this security fix or have not installed a new version of MicroStation are vulnerable to this issue. Those who use VDX files created in Bentley Microstation are also vulnerable as a result of this vulnerability.

VDX and MicroStation Software Versions Affected

The out-of-bounds memory access issue was also fixed in MicroStation. Users are encouraged to update their software to avoid being affected by this security issue.

This issue was publicly disclosed on October 4, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

VDX File Compression and Decompression

This issue was publicly disclosed on October 6, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

Bentley Microstation VDX files may be compressed with an invalid compression algorithm that leads to a stack overflow. Exploitation of this issue may lead to remote code execution. The fixed version is 10.17.01.55

VDX file format security issues

There are a number of security issues that have been identified with the VDX file format. Users are encouraged to update their software to avoid being affected by these security issues.

The following table contains the release dates for each of the above security updates and what versions of Bentley Microstation were fixed in those releases.

VXD file format security issues:
This issue was publicly disclosed on October 11, 2018. Users are encouraged to update their software to avoid being affected by this security issue.

Timeline

Published on: 10/13/2022 03:15:00 UTC
Last modified on: 10/13/2022 20:26:00 UTC

References

• https://www.bentley.com/legal/common-vulnerability-exposure-be-2022-0018/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42901