Full Report
Cybersecurity researchers have disclosed details of a new method for exfiltrating sensitive data from artificial intelligence (AI) code execution environments using domain name system (DNS) queries. In a report published Monday, BeyondTrust revealed that Amazon Bedrock AgentCore Code Interpreter's sandbox mode permits outbound DNS queries that an attacker can exploit to enable interactive shells
Analysis Summary
# Vulnerability: DNS Exfiltration and Interactive Shell in Amazon Bedrock Code Interpreter
## CVE Details
- **CVE ID**: N/A (Cloud service vulnerability; no CVE assigned by AWS)
- **CVSS Score**: Not officially rated (Estimated: High/Critical severity)
- **CWE**: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- **Products**: Amazon Bedrock
- **Versions**: All versions prior to the remediation reported in August 2024.
- **Configurations**: Amazon Bedrock AgentCore Code Interpreter with "Sandbox Mode" enabled.
## Vulnerability Description
The vulnerability stems from an insecure configuration in the network stack of the Amazon Bedrock Code Interpreter sandbox. While the environment was intended to be "air-gapped" or restricted from outbound internet access, it permitted outbound **DNS (Domain Name System) queries** (UDP port 53).
Researchers discovered they could use the Code Interpreter to execute Python scripts that bypass standard data egress controls by encoding sensitive data into subdomains of an attacker-controlled domain (e.g., `data.attacker[.]com`). By monitoring the authoritative name server for that domain, the attacker could reconstruct the exfiltrated data. Furthermore, by utilizing bidirectional DNS communication (DNS tunneling), researchers successfully established an **interactive reverse shell**, allowing for persistent command execution within the sandbox.
## Exploitation
- **Status**: Proof-of-Concept (PoC) developed by researchers; reported as fixed by the vendor.
- **Complexity**: Medium
- **Attack Vector**: Network (Remote execution via AI Prompt Injection or malicious agent instructions)
## Impact
- **Confidentiality**: **High** (Exfiltration of sensitive data, environment variables, and AWS metadata).
- **Integrity**: **Medium** (Ability to manipulate data within the execution environment).
- **Availability**: **Low** (Limited impact on broader infrastructure, but potential for resource exhaustion within the sandbox).
## Remediation
### Patches
- **Vendor Action**: Amazon AWS has implemented server-side fixes to restrict outbound DNS traffic from the Bedrock Code Interpreter environments. No user action is required for the managed service.
### Workarounds
- **Prompt Engineering**: Implement strict guardrails to prevent agents from interpreting/executing code that makes network-layer calls (though this is often bypassable).
- **Infrastructure**: Users of similar AI code execution tools should ensure strict egress filtering (locking down Port 53) is in place for all sandbox containers.
## Detection
- **Indicators of Compromise**:
- Unusual volumes of DNS queries originating from AI agent execution roles.
- DNS lookups for long, randomly generated subdomains (DGA-like patterns).
- Unusually high frequency of TXT or CNAME record requests.
- **Detection methods and tools**:
- Monitor **AWS CloudTrail** and **VPC Flow Logs** for unexpected outbound traffic patterns.
- Utilize DNS filtering/inspection tools (e.g., Amazon Route 53 Resolver DNS Firewall) to flag and block tunneling attempts.
## References
- **Vendor Advisory**: AWS Security Bulletins (General Bedrock Security)
- **Research Blog**: hxxps[://]www[.]beyondtrust[.]com/blog/entry/amazon-bedrock-vulnerability-dns-exfiltration-interactive-shell
- **Defanged News Link**: hxxps[://]thehackernews[.]com/2024/09/researchers-uncover-dns-based-data[.]html