⚠️ Region Alert: UAE/Middle East
This article details research into the security boundaries of Amazon Bedrock AgentCore, focusing on how its Code Interpreter sandbox isolation can be bypassed. Researchers discovered that while the sandbox is marketed as having no external network access, it remains vulnerable to DNS tunneling. This allows attackers to establish a bi-directional command-and-control (C2) channel and exfiltrate sensitive data through recursive DNS queries even when direct TCP/UDP traffic is blocked.
Furthermore, the investigation revealed a critical security regression in the AgentCore Runtime. The environment utilized a microVM Metadata Service (MMDS) that did not enforce session tokens, mirroring legacy IMDSv1 vulnerabilities. This configuration could allow an attacker to exploit server-side request forgery (SSRF) to extract IAM credentials. AWS has since mitigated these risks by updating documentation and transitioning to MMDSv2 as the default for new agents.
Top comments (0)