BeyondTrust researchers stated in a weblog publish that AWS acknowledged the report and reproduced the difficulty in the course of the disclosure course of, however in the end selected to not patch the habits, calling it an “meant performance quite than a defect.”
The “allowed” DNS path breaks isolation
The problem is that the sandbox atmosphere permits outbound DNS queries, which might be manipulated to create a bidirectional communication channel between the AI agent and an exterior attacker-controlled server. By encoding information into DNS queries and responses, BeyondTrust’s Phantom Labs workforce demonstrated exfiltrating information and even establishing an interactive reverse shell, with out triggering any community restrictions.
“The (weak) atmosphere permits outbound DNS queries for A and AAAA information, a structural allowance that menace actors can exploit to determine a bidirectional command-and-control channel,” stated Jason Soroko, senior fellow at Sectigo. As soon as that channel is in place, the remaining turns into a query of permissions. If the agent is working with overly broad IAM roles, the blast radius expands rapidly.
