Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers discovered critical vulnerabilities in Amazon Bedrock AgentCore's Code Interpreter sandbox. Despite being advertised as providing 'complete isolation with no external network access,' the sandbox mode was found to permit recursive DNS queries to arbitrary public domains, enabling DNS tunneling for bidirectional data exfiltration and C2 communication. Additionally, the AgentCore Runtime's microVM Metadata Service (MMDS) lacked session token enforcement (IMDSv1-style), making it vulnerable to SSRF attacks that could expose IAM credentials. Researchers also found undocumented MMDS endpoints leaking internal S3 pre-signed URLs and KMS Key IDs belonging to AWS's own backend infrastructure. The full attack chain allows breaking out of the sandbox via DNS, accessing IAM credentials via the unprotected metadata service, and exfiltrating them externally. AWS has since updated documentation, enforced MMDSv2 for new agents, and recommends VPC mode with Route 53 DNS Firewall for complete isolation.

Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox