CVE-2022-42899: Bentley MicroStation RCE Vulnerability

CVE-2022-42899 Overview

CVE-2022-42899 is a high-severity vulnerability affecting Bentley MicroStation and MicroStation-based applications, including Bentley View. The vulnerability manifests as out-of-bounds read and stack overflow issues when processing specially crafted SKP (SketchUp) files. Successful exploitation of these memory corruption flaws could enable attackers to achieve information disclosure and arbitrary code execution on affected systems.

Critical Impact
Attackers can craft malicious SKP files that, when opened by a user in vulnerable MicroStation or Bentley View applications, may trigger memory corruption leading to sensitive information disclosure or arbitrary code execution with the privileges of the current user.

Affected Products

Bentley MicroStation versions prior to 10.17.01.58*
Bentley View versions prior to 10.17.01.19*

Discovery Timeline

2022-10-13 - CVE CVE-2022-42899 published to NVD
2025-05-15 - Last updated in NVD database

Technical Details for CVE-2022-42899

Vulnerability Analysis

This vulnerability involves two related memory corruption issues: an out-of-bounds read (CWE-125) and a stack overflow condition. The flaws are triggered during the parsing of SKP (SketchUp) file formats within Bentley MicroStation and Bentley View applications. When a user opens a maliciously crafted SKP file, the application fails to properly validate input boundaries, allowing an attacker to read memory beyond allocated buffers or overflow the stack.

The out-of-bounds read condition can expose sensitive memory contents to an attacker, potentially leaking information useful for further exploitation. The stack overflow component presents a more severe risk, as it could allow an attacker to overwrite the return address or other critical stack data, ultimately leading to arbitrary code execution.

Since exploitation requires user interaction—specifically opening a malicious file—this is classified as a local attack vector. No special privileges are required beyond convincing a user to open the crafted file, making social engineering a viable delivery mechanism for exploitation attempts.

Root Cause

The root cause lies in improper input validation during the parsing of SKP file structures. The application does not adequately verify that data lengths and offsets within the SKP file are within expected boundaries before using them in memory operations. This leads to:

Out-of-Bounds Read: Array or buffer accesses using attacker-controlled indices or sizes that exceed the allocated memory region
Stack Overflow: Recursive or iterative processing of nested file structures without proper depth checks, or copying attacker-controlled data lengths onto the stack without boundary validation

Attack Vector

The attack vector for CVE-2022-42899 requires local access and user interaction. An attacker would typically:

Craft a malicious SKP file containing specially constructed data structures designed to trigger the memory corruption conditions
Deliver the malicious file to the target user via email attachment, file sharing platforms, or compromised project repositories
Social engineer the victim into opening the file using Bentley MicroStation or Bentley View
Upon file opening, the vulnerable parsing routines process the malicious data, triggering the out-of-bounds read or stack overflow
Depending on the exploitation approach, the attacker achieves either information disclosure or code execution with the user's privileges

The vulnerability affects CAD/design professionals who commonly work with SKP files as part of their workflow, making design and engineering teams a primary target for this attack.

Detection Methods for CVE-2022-42899

Indicators of Compromise

Unexpected crashes or application hangs in MicroStation or Bentley View when opening SKP files
Presence of suspiciously named or recently received SKP files from untrusted sources
Anomalous process behavior following SKP file operations, such as unexpected child processes or network connections
Memory access violations or exception events logged in Windows Event Logs related to MicroStation processes

Detection Strategies

Deploy endpoint detection rules to monitor for abnormal behavior patterns in ustation.exe and Bentley View processes
Implement file inspection policies that quarantine and analyze SKP files received from external sources before user access
Configure application crash monitoring to alert on repeated crashes in MicroStation or Bentley View applications
Use memory protection technologies that can detect out-of-bounds memory access attempts

Monitoring Recommendations

Enable detailed logging for Bentley application processes to capture file access patterns and potential exploitation attempts
Monitor for unusual process execution chains originating from MicroStation or Bentley View applications
Implement email gateway scanning for SKP file attachments from external senders
Deploy behavioral analysis capabilities to detect post-exploitation activity following suspicious file opens

How to Mitigate CVE-2022-42899

Immediate Actions Required

Update Bentley MicroStation to version 10.17.01.58* or later immediately
Update Bentley View to version 10.17.01.19* or later immediately
Educate users about the risks of opening SKP files from untrusted or unexpected sources
Implement file type restrictions on email gateways and file sharing systems to quarantine incoming SKP files for review

Patch Information

Bentley has released security patches addressing these vulnerabilities. According to the Bentley Common Vulnerability Exposure Advisory, the fixed versions are:

MicroStation: Version 10.17.01.58* and later
Bentley View: Version 10.17.01.19* and later

Organizations should prioritize updating all installations to these fixed versions through their standard software update processes.

Workarounds

Restrict SKP file handling to isolated environments or sandboxed applications until patches can be applied
Block or quarantine incoming SKP files from external sources at the email gateway and network perimeter
Implement application whitelisting policies that only allow vetted and trusted SKP files to be opened
Consider using alternative file formats for design collaboration that do not rely on the vulnerable SKP parsing functionality

CVE-2022-42899 Overview

Critical Impact
Attackers can craft malicious SKP files that, when opened by a user in vulnerable MicroStation or Bentley View applications, may trigger memory corruption leading to sensitive information disclosure or arbitrary code execution with the privileges of the current user.

Affected Products

Bentley MicroStation versions prior to 10.17.01.58*
Bentley View versions prior to 10.17.01.19*

Discovery Timeline

2022-10-13 - CVE CVE-2022-42899 published to NVD
2025-05-15 - Last updated in NVD database

Technical Details for CVE-2022-42899

Vulnerability Analysis

Root Cause

Out-of-Bounds Read: Array or buffer accesses using attacker-controlled indices or sizes that exceed the allocated memory region
Stack Overflow: Recursive or iterative processing of nested file structures without proper depth checks, or copying attacker-controlled data lengths onto the stack without boundary validation

Attack Vector

The attack vector for CVE-2022-42899 requires local access and user interaction. An attacker would typically:

Craft a malicious SKP file containing specially constructed data structures designed to trigger the memory corruption conditions
Deliver the malicious file to the target user via email attachment, file sharing platforms, or compromised project repositories
Social engineer the victim into opening the file using Bentley MicroStation or Bentley View
Upon file opening, the vulnerable parsing routines process the malicious data, triggering the out-of-bounds read or stack overflow
Depending on the exploitation approach, the attacker achieves either information disclosure or code execution with the user's privileges

The vulnerability affects CAD/design professionals who commonly work with SKP files as part of their workflow, making design and engineering teams a primary target for this attack.

Detection Methods for CVE-2022-42899

Indicators of Compromise

Unexpected crashes or application hangs in MicroStation or Bentley View when opening SKP files
Presence of suspiciously named or recently received SKP files from untrusted sources
Anomalous process behavior following SKP file operations, such as unexpected child processes or network connections
Memory access violations or exception events logged in Windows Event Logs related to MicroStation processes

Detection Strategies

Deploy endpoint detection rules to monitor for abnormal behavior patterns in ustation.exe and Bentley View processes
Implement file inspection policies that quarantine and analyze SKP files received from external sources before user access
Configure application crash monitoring to alert on repeated crashes in MicroStation or Bentley View applications
Use memory protection technologies that can detect out-of-bounds memory access attempts

Monitoring Recommendations

Enable detailed logging for Bentley application processes to capture file access patterns and potential exploitation attempts
Monitor for unusual process execution chains originating from MicroStation or Bentley View applications
Implement email gateway scanning for SKP file attachments from external senders
Deploy behavioral analysis capabilities to detect post-exploitation activity following suspicious file opens

How to Mitigate CVE-2022-42899

Immediate Actions Required

Update Bentley MicroStation to version 10.17.01.58* or later immediately
Update Bentley View to version 10.17.01.19* or later immediately
Educate users about the risks of opening SKP files from untrusted or unexpected sources
Implement file type restrictions on email gateways and file sharing systems to quarantine incoming SKP files for review

Patch Information

Bentley has released security patches addressing these vulnerabilities. According to the Bentley Common Vulnerability Exposure Advisory, the fixed versions are:

MicroStation: Version 10.17.01.58* and later
Bentley View: Version 10.17.01.19* and later

Organizations should prioritize updating all installations to these fixed versions through their standard software update processes.

Workarounds

Restrict SKP file handling to isolated environments or sandboxed applications until patches can be applied
Block or quarantine incoming SKP files from external sources at the email gateway and network perimeter
Implement application whitelisting policies that only allow vetted and trusted SKP files to be opened
Consider using alternative file formats for design collaboration that do not rely on the vulnerable SKP parsing functionality

CVE-2022-42899: Bentley MicroStation RCE Vulnerability

CVE-2022-42899 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-42899

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-42899

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-42899

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-42899: Bentley MicroStation RCE Vulnerability

CVE-2022-42899 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-42899

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-42899

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-42899

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform