BeyondTrust researchers mentioned in a weblog publish that AWS acknowledged the report and reproduced the difficulty in the course of the disclosure course of, however in the end selected to not patch the conduct, calling it an “meant performance slightly than a defect.”
The “allowed” DNS path breaks isolation
The difficulty is that the sandbox atmosphere permits outbound DNS queries, which may be manipulated to create a bidirectional communication channel between the AI agent and an exterior attacker-controlled server. By encoding information into DNS queries and responses, BeyondTrust’s Phantom Labs crew demonstrated exfiltrating information and even establishing an interactive reverse shell, with out triggering any community restrictions.
“The (susceptible) atmosphere permits outbound DNS queries for A and AAAA data, a structural allowance that risk actors can exploit to ascertain a bidirectional command-and-control channel,” mentioned Jason Soroko, senior fellow at Sectigo. As soon as that channel is in place, the remainder turns into a query of permissions. If the agent is working with overly broad IAM roles, the blast radius expands shortly.
