A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk

Credential leaks in customer-facing infrastructure don’t just expose cloud storage — they can be the entry point for a multi-stage supply chain attack. This is not the first time we have seen such a case. In 2023, we reported a similar issue to Microsoft for their tool called PC Manager. Using the exposed tokens, it was possible to gain full control over multiple distribution mechanisms of PC Manager consisting of WinGet packages, an official subdomain, and a Microsoft-owned URL shortener service.

Ultimately, these cases are not just about specific vendors or vulnerabilities – they are strong reminders that in software supply chains, trust must be proactively earned, verified, and continually reassessed. A single misstep in plugin security, credential handling, or file exposure can have cascading consequences. Organizations must realize and fulfill the demands of supply chain security, before attackers and incidents force this realization.

Conclusion and recommendations

This exposure highlights the unforeseen risk stemming from trusted third-party software providers. Signed DLLs within a customer-facing plugin for Autodesk Revit had hard-coded Azure Storage Account credentials. These secrets granted unauthorized read/write access to MSI installers and RFA model files distributed to other customers.

Additionally, the vulnerabilities in Autodesk Revit could result in arbitrary code execution, as customers would use the plugin to download model files from Axis’s storage account. These findings show a potentially dangerous intersection of flaws that could have enabled a full-blown supply chain attack. This case reinforces the following key points:

• Just because DLLs are digitally signed, they are not inherently secure. Trust indicators must be backed by thorough internal review and static analysis throughout the development process.
• Exposure of overly permissive credentials amplifies risk. Following the principle of least privilege can significantly limit the scope of compromise.
• File formats as attack vectors become much more impactful when coupled with scalable distribution mechanisms enabled by widely trusted cloud resources – as we examined in this case.

Credential leaks in customer-facing infrastructure don’t just expose cloud storage — they can be the entry point for a multi-stage supply chain attack. This is not the first time we have seen such a case. In 2023, we reported a similar issue to Microsoft for their tool called PC Manager. Using the exposed tokens, it was possible to gain full control over multiple distribution mechanisms of PC Manager consisting of WinGet packages, an official subdomain, and a Microsoft-owned URL shortener service.

Ultimately, these cases are not just about specific vendors or vulnerabilities – they are strong reminders that in software supply chains, trust must be proactively earned, verified, and continually reassessed. A single misstep in plugin security, credential handling, or file exposure can have cascading consequences. Organizations must realize and fulfill the demands of supply chain security, before attackers and incidents force this realization.

Here are several proactive measures we recommend preventing similar cases:

• Integrate a code scanning solution (such as Artifact Scanner within Trend Vision One™ Code Security) into CI/CD pipelines to detect and remediate exposed credentials before release.
• Separate public-facing assets from systems used for distributing software releases to minimize the attack surface.
• Apply defense-in-depth strategies to file format parsers by regularly conducting vulnerability assessments and code reviews.

Here are reactive measures to take if such an exposure has already happened:

• Continuously scan existing and new software releases for embedded credentials to ensure no sensitive information is inadvertently exposed.
• Subject all releases to sandboxing and thorough QA/testing environments prior to public distribution to identify potential security issues.

Trend Solutions

Trend Vision One™ Cloud Risk Management is a continuous assurance tool that provides peace of mind for cloud infrastructure, delivering over 750 automated best practice checks. Cloud Risk Management users can leverage the following Azure Storage Account rules:

Read More HERE