This week's articles
Pwning AI Code Interpreters in AWS Bedrock AgentCore
Phantom Labs discovered that AWS Bedrock AgentCore Code Interpreter's sandbox mode allows DNS queries, enabling bypass of network isolation through DNS-based command-and-control. This research details the discovery, proof-of-concept exploit, disclosure timeline, and defensive guidance for organizations using Code Interpreter workloads.
Pentesting a pentest agent - Here's what I've found in AWS Security Agent
A researcher pentested AWS Security Agent, finding 4 issues: DNS confusion enabling unauthorized domain pentesting, a full reverse shell/container escape chain to host root + AWS credentials via prompt injection, unnecessary destructive actions (e.g., DROP TABLE probes, exploit-based cleanup deleting /etc/crontab), and unredacted secrets in pentest reports.
Cracks in the Bedrock: Bypassing SCP Enforcement with Long-Lived API Keys
Sonrai Security researcher discovered that AWS "bedrock-mantle" IAM permissions could bypass SCP enforcement when using long-lived Service Specific Credential API keys. IAM policy denials worked correctly, but SCP denials were bypassed. AWS patched this between JanβFeb 2026; no customer action required.
CrackArmor: Multiple vulnerabilities in AppArmor
Qualys's "CrackArmor" advisory details 9 vulnerabilities in Linux AppArmor: a confused-deputy flaw letting unprivileged users load/replace/remove arbitrary profiles, plus kernel bugs (uncontrolled recursion, OOB read enabling KASLR leak, use-after-free, double-free), all exploitable for full LPE to root on Ubuntu/Debian.
|