"The fact that the service allows DNS queries despite "no network access" configuration can allow "threat actors to establish command-and-control channels and data exfiltration over DNS in certain scenarios, bypassing the expected network isolation controls," according to Kinnaird McQuade, chief security architect at BeyondTrust."
"In an experimental attack scenario, a threat actor can abuse this behavior to set up a bidirectional communication channel using DNS queries and responses, obtain an interactive reverse shell, exfiltrate sensitive information through DNS queries if their IAM role has permissions to access AWS resources like S3 buckets storing that data, and perform command execution."
"The DNS communication mechanism can be abused to deliver additional payloads that are fed to the Code Interpreter, causing it to poll the DNS command-and-control server for commands stored in DNS A records, execute them, and return the results via DNS subdomain queries."
BeyondTrust disclosed a vulnerability in Amazon Bedrock AgentCore Code Interpreter that permits outbound DNS queries despite being configured with no network access. This flaw enables threat actors to establish bidirectional communication channels, obtain interactive reverse shells, and exfiltrate sensitive data by bypassing network isolation controls. Attackers can abuse DNS communication to deliver payloads, poll command-and-control servers for commands stored in DNS A records, and execute them. The vulnerability carries a CVSS score of 7.5. The service requires an IAM role to access AWS resources, and overprivileged role assignments could grant broad permissions to sensitive data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]