Full Report
Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure. The post Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox appeared first on Unit 42.
Analysis Summary
# Vulnerability: Amazon Bedrock AgentCore Sandbox Escape via DNS Tunneling
## CVE Details
- **CVE ID**: N/A (Cloud vulnerability – AWS does not typically assign CVEs to internal managed service infrastructure flaws)
- **CVSS Score**: Estimated 8.8 (High/Critical)
- **CWE**: CWE-1336 (Improper Handling of Structural Elements in Input), CWE-94 (Code Injection)
## Affected Systems
- **Products**: Amazon Bedrock (Agents for Amazon Bedrock)
- **Versions**: All versions prior to the July 2024 fix.
- **Configurations**: Agents utilizing the "Code Interpreter" action group or custom Lambda functions running within the AgentCore sandbox environment.
## Vulnerability Description
The vulnerability exists in the **AgentCore sandbox**, the environment AWS uses to execute code generated by Amazon Bedrock agents. While AWS implements strict network isolation to prevent data exfiltration, Unit 42 researchers identified that the sandbox allowed **DNS queries** to resolve through the host's DNS infrastructure.
By leveraging **DNS Tunneling**, an attacker could bypass network restrictions. Furthermore, researchers discovered that sensitive environment variables and temporary credentials (AWS IAM role credentials) associated with the Agent's execution role were accessible within the sandbox environment. By combining code injection with DNS tunneling, an attacker could exfiltrate these credentials one piece at a time via subdomains of an attacker-controlled DNS server.
## Exploitation
- **Status**: PoC available (Validated by Unit 42 and patched by AWS)
- **Complexity**: Medium (Requires crafting specific prompts to trigger code execution)
- **Attack Vector**: Network (Remote via API/Agent Interaction)
## Impact
- **Confidentiality**: High (Exposure of IAM credentials and internal metadata)
- **Integrity**: Low (Limited to the scope of the Agent's execution role)
- **Availability**: Low
## Remediation
### Patches
- **AWS Managed Fix**: AWS has deployed a global server-side patch to the Bedrock AgentCore infrastructure. No customer action is required for the managed service.
- **Improved Isolation**: AWS has updated the sandbox to further restrict DNS traffic and harden the credential provider access from within the Code Interpreter environment.
### Workarounds
- **IAM Least Privilege**: Ensure that the IAM roles assigned to Bedrock Agents have the absolute minimum permissions required to perform their tasks, limiting the blast radius of credential exposure.
- **Input Filtering**: Implement guardrails (e.g., Amazon Bedrock Guardrails) to detect and block prompts designed to exfiltrate system information or execute unauthorized system commands.
## Detection
- **Indicators of compromise**: Unusual DNS query patterns involving long, high-entropy subdomains (e.g., `[encoded-data].attacker-domain.com`).
- **Detection methods and tools**:
- Monitor **CloudTrail** logs for unusual API calls originating from Agent execution roles that deviate from established baselines.
- Inspect **VPC Flow Logs** or DNS query logs for anomalous outbound requests to unrecognized external domains if using custom VPC configurations.
## References
- **Original Research**: hxxps[://]unit42[.]paloaltonetworks[.]com/bypass-of-aws-sandbox-network-isolation-mode/
- **AWS Security Bulletins**: hxxps[://]aws[.]amazon[.]com/security/security-bulletins/