Critical Bypass Vulnerabilities in AWS Amazon Bedrock AgentCore
TL;DR: Research from Palo Alto Networks reveals significant vulnerabilities in the network isolation features of AWS’s Amazon Bedrock AgentCore, specifically within its Code Interpreter. These flaws could allow attackers to exfiltrate sensitive data and establish command and control channels via DNS tunneling.
Main Analysis:
Palo Alto Networks conducted an investigation into the Amazon Bedrock AgentCore, focusing on its Code Interpreter service, which was designed to execute code in a secure, sandboxed environment. The research identified critical weaknesses in the network isolation of the Code Interpreter, particularly with its sandbox mode originally claimed to provide complete isolation. The assessment discovered that this mode allowed for outbound DNS queries, enabling data exfiltration through DNS tunneling.
Through meticulous testing, the researchers mapped the architecture of the AgentCore services and confirmed that despite AWS’s claims of no external connections in sandbox mode, it actually permitted resolutions of external domain names. They successfully demonstrated how sensitive data could be leaked using DNS queries, effectively establishing a covert, bidirectional communication channel. This unauthorized access could allow malicious actors to extract sensitive credentials or inject commands into the sandbox.
Additionally, the research uncovered a misconfiguration in the microVM Metadata Service (MMDS), which lacked sufficient security measures, making it vulnerable to exploitation akin to server-side request forgery attacks. This oversight could have grave implications, as it allows access to sensitive metadata and credentials without requiring session tokens, creating significant risk in runtime environments.
Defensive Context:
Organizations utilizing AWS’s AgentCore must be aware of these vulnerabilities, especially those relying on the Code Interpreter for executing sensitive tasks. The risk is heightened for any implementation that involves high-privilege IAM roles, given that the perceived security of the sandbox may lead developers to attach privileges typically reserved for public facing systems. Companies operating in sectors utilizing AI-driven solutions should take particular notice, as they can be disproportionately affected by these vulnerabilities.
Why This Matters:
The ability to exfiltrate data from what is intended to be a secure environment represents a serious real-world risk. Organizations that deploy AI agents must assess their configurations and understand the implications of using services like Amazon Bedrock AgentCore, especially in terms of data security and identity management.
Defender Considerations:
AWS has indicated that customers can enhance their security by using Virtual Private Cloud mode for stricter network isolation than the sandbox mode. To mitigate risks associated with DNS tunneling, AWS suggests implementing Amazon Route 53 Resolver DNS Firewall. Organizations should also re-evaluate the permissions granted to their AI agents, prioritizing least privilege principles to curtail the potential impact of such vulnerabilities.
Indicators of Compromise (IOCs):
No specific IOCs were provided in the article; thus, this section is not applicable.
