AI/ML

Researchers detail attack chain escaping Anthropic’s Claude Cowork sandbox

Claude, an artificial intelligence chatbot developed by Anthropic, based on a large language model LLM. Icon and logo isolated on a dark surface, 3D rendering

As reported by Silicon Angle, security researchers at Armadin Inc. have detailed an attack chain that allows arbitrary command execution as root within the sandbox environment of Anthropic PBC’s Claude Cowork. This chain reportedly bypasses the isolation layer and removes network restrictions intended to contain it.

The attack chain exploits two reported weaknesses in Claude Cowork for Windows. The first allows arbitrary command execution as root by manipulating a resume flag passed through the CoworkVMService. This bypasses the creation of a new unprivileged user for each command, enabling an attacker with local code execution to run commands as any existing user, including root. Once inside the virtual machine as root, researchers used nsenter to escape the sandbox into the wider virtual machine.

The second strips network restrictions by overriding the domain allowlist on a per-command basis with a wildcard, removing egress limitations. Combined, this allows an attacker to exfiltrate sensitive data. Anthropic, however, does not consider this a security issue, stating that it requires prior local code execution on the host machine.

Armadin validated the chain against Claude Desktop for Windows version 1.9255.2.0. The disclosure highlights concerns about endpoint security visibility with AI productivity tools running local virtual machines on non-technical user systems.

Source: Silicon Angle

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds