AWS Bedrock AgentCore Sandbox Bypass Allows Covert C2 Channels and Data Exfiltration

AWS Bedrock AgentCore Code Interpreter's "Sandbox" network mode has a major security flaw that lets threat actors set up hidden command-and-control (C2) channels and steal sensitive data. AWS markets this feature as providing complete network isolation that allows outbound DNS queries. AWS Bedrock AgentCore Code Interpreter is a managed service that lets AI agents and chatbots run Python, JavaScript, and shell code for users.

This is similar to how ChatGPT's code interpreter processes uploaded files and gives back analytical results. There are three network modes available with the service: Public, VPC, and Sandbox. AWS originally described Sandbox as providing "complete isolation with no external access." Researchers at BeyondTrust Phantom Labs found a big hole in that guarantee.

Even though Sandbox mode blocked most internet traffic, it did let DNS A and AAAA record queries leave the sandbox without any problems. Researchers verified this behavior utilizing Interactsh, an out-of-band testing server, which processed DNS queries from within the sandboxed Code Interpreter, despite the instance being configured without network access. Prior related research by Sonrai Security also demonstrated credential exfiltration from AgentCore sandboxes via the Firecracker microVM Metadata Service, underscoring a broader pattern of isolation weaknesses in AgentCore’s architecture., LinkedIn, and X for daily cybersecurity updates.

Get in touch with us to have your stories featured.