AWS Bedrock AgentCore Code Interpreter Vulnerability Enables Data Exfiltration via DNS

The event explicitly involves an AI system (AgentCore Code Interpreter) and describes how its use and architectural design flaw directly enable malicious actors to bypass security controls and exfiltrate sensitive data. This constitutes harm to property and security of cloud environments, fulfilling the criteria for an AI Incident. The harm is realized or highly likely given the described attack vectors and consequences. AWS's decision not to patch the vulnerability does not negate the harm caused or the direct link to the AI system's malfunction or design flaw. Therefore, this is classified as an AI Incident rather than a hazard or complementary information.

The event involves an AI system (AWS Bedrock AgentCore Code Interpreter) whose use allows malicious actors to exploit DNS resolution to exfiltrate data, demonstrating a plausible pathway to harm. No actual harm has been reported yet, but the demonstrated method shows a credible risk of data breach and exposure of sensitive information, which qualifies as harm to property. The AI system's design and use are central to this risk. AWS's stance that this is intended functionality does not negate the plausible future harm. Hence, this is best classified as an AI Hazard rather than an AI Incident or Complementary Information.

The report explicitly involves AI systems (Amazon Bedrock AgentCore Code Interpreter) and details a security flaw that enables data exfiltration and remote code execution, which are direct harms related to the AI system's malfunction or misuse. This meets the criteria for an AI Incident because the AI system's malfunction has directly led to a security breach, a form of harm to property and potentially to users' privacy and security.

The AWS Bedrock AgentCore Code Interpreter is an AI system that executes code on behalf of users. The Sandbox mode's failure to isolate network traffic as promised allowed attackers to establish covert channels and exfiltrate sensitive data, including PII and credentials, which constitutes harm to property and violations of privacy rights. The involvement of the AI system's malfunction directly caused these harms. The event is not merely a potential risk but a realized security breach, thus it is an AI Incident rather than a hazard or complementary information.

The event involves an AI system (AWS Bedrock AgentCore Code Interpreter) with a sandbox environment designed to isolate AI code execution. The vulnerability allows DNS-based data exfiltration, which is a credible pathway for harm to organizations' data security (harm to property). Although no actual harm is reported, the potential for exploitation is clear and plausible. AWS's partial remediation and advisory indicate ongoing risk. Hence, this is an AI Hazard, not an Incident, since harm has not yet materialized but could plausibly occur due to the AI system's malfunction or design flaw.