BURSTA critical vulnerability in Axis Communications’ Autodesk Revit plugin has exposed Azure Storage Account credentials, creating significant security risks for customers and potentially enabling supply chain attacks targeting the architecture and engineering industry.
The vulnerability stems from hardcoded credentials embedded within signed Dynamic Link Libraries (DLLs) distributed to customers through the plugin’s Microsoft Installer (MSI) package.
The security flaw was discovered in July 2024 when Trend Micro’s VirusTotal rules detected Azure Shared Access Signature (SAS) tokens within a digitally signed DLL named “AzureBlobRestAPI.dll”.
The affected component was issued to AEC Advanced Engineering Computation Aktiebolag, an Autodesk partner specializing in AutoCAD and Revit platform consulting.
This discovery initiated a months-long remediation process involving multiple vulnerability reports and patches.
The exposed credentials provided unauthorized read and write access to three Azure storage accounts belonging to Axis Communications, a Swedish multinational company specializing in network video solutions and surveillance technology.
These accounts contained critical assets including MSI installers for the Axis Plugin for Autodesk Revit and Revit Family Architecture (RFA) files used by customers for building information modeling projects.
The vulnerability’s impact was amplified by the potential for attackers to replace legitimate files with malicious versions, effectively weaponizing the trusted distribution mechanism.
Trend Micro analysts identified additional security concerns beyond the credential exposure. Through their Zero Day Initiative (ZDI) research, they discovered multiple remote code execution vulnerabilities in Autodesk Revit that could be triggered by importing malicious RFA files.
This combination of vulnerabilities created a dangerous attack vector where threat actors could potentially compromise the storage accounts, upload crafted RFA files, and achieve mass compromise of Axis Communications customers using Autodesk Revit software.
The discovery highlights broader supply chain security risks within the architectural and engineering software ecosystem.
The plugin’s design flaws demonstrate how trusted third-party integrations can become attack vectors when proper security controls are not implemented.
Technical Analysis of the Vulnerability
The vulnerability’s technical foundation lies in poor credential management practices within the plugin’s architecture.
Researchers found cleartext Azure SAS tokens and shared access key pairs for two Azure storage accounts named “axisfiles” and “axiscontentfiles” embedded within a private method called “internalSetEnvironment” of the class “AzureBlobRestAPI.DataTypes.Classes.Global”.
The credentials granted extensive privileges including full read, write, delete, list, add, create, update, process, and execute permissions across the storage accounts.
.webp)
This level of access far exceeded the principle of least privilege, enabling attackers to not only access existing content but also modify distribution mechanisms and upload malicious files.
When Axis Communications initially attempted to remediate the issue with version 25.3.710, they implemented code obfuscation using tools like Eazfuscator.
However, this approach proved inadequate as the obfuscated credentials could be easily de-obfuscated using publicly available tools such as de4dot.
The obfuscation merely provided security through obscurity rather than addressing the fundamental design flaw of embedding credentials in client-side code.
The vulnerability’s persistence was further complicated by the storage accounts containing historical versions of the plugin installers.
Even after implementing read-only SAS tokens in version 25.3.711, researchers discovered that attackers could still access previous plugin versions containing the overly permissive credentials, effectively bypassing the remediation efforts until all historical versions were properly secured.
Axis Communications has confirmed that the vulnerabilities have been fully patched in the current version 25.3.718, with all previously reported issues resolved.
The company has also taken proactive steps to notify affected partners and customers, emphasizing that the Autodesk Revit plugin is provided only to select partners and is generally not accessible for public use.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Axis Communications Vulnerability Exposes Azure Storage Account Credentials appeared first on Cyber Security News.