Summary: Cybersecurity researchers have identified six vulnerabilities in the Ollama AI framework that could be exploited for various malicious activities, including denial-of-service attacks, model poisoning, and model theft. These vulnerabilities pose significant risks, particularly as many instances of Ollama are exposed to the internet without proper security measures.
Threat Actor: Malicious Actors | malicious actors
Victim: Ollama Users | Ollama users
Key Point :
- Six vulnerabilities identified, including CVE-2024-39719 and CVE-2024-39720, which can lead to denial-of-service and resource exhaustion.
- Two unpatched vulnerabilities could allow for model poisoning and theft via specific API endpoints.
- Ollama instances are widely exposed on the internet, with a significant percentage deemed vulnerable.
- Recommendations include using proxies or web application firewalls to limit endpoint exposure.
Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft.
“Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more,” Oligo Security researcher Avi Lumelsky said in a report published last week.
Ollama is an open-source application that allows users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its project repository on GitHub has been forked 7,600 times to date.
A brief description of the six vulnerabilities is below –
- CVE-2024-39719 (CVSS score: 7.5) – A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47)
- CVE-2024-39720 (CVSS score: 8.2) – An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46)
- CVE-2024-39721 (CVSS score: 7.5) – A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file “/dev/random” as input (Fixed in version 0.1.34)
- CVE-2024-39722 (CVSS score: 7.5) – A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46)
- A vulnerability that could lead to model poisoning via the /api/pull endpoint from an untrusted source (No CVE identifier, Unpatched)
- A vulnerability that could lead to model theft via the /api/push endpoint to an untrusted target (No CVE identifier, Unpatched)
For both unresolved vulnerabilities, the maintainers of Ollama have recommended that users filter which endpoints are exposed to the internet by means of a proxy or a web application firewall.
“Meaning that, by default, not all endpoints should be exposed,” Lumelsky said. “That’s a dangerous assumption. Not everybody is aware of that, or filters HTTP routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any separation or documentation to back it up.”
Oligo said it found 9,831 unique internet-facing instances that run Ollama, with a majority of them located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One out of four internet-facing servers has been deemed vulnerable to the identified flaws.
The development comes more than four months after cloud security firm Wiz disclosed a severe flaw impacting Ollama (CVE-2024-37032) that could have been exploited to achieve remote code execution.
“Exposing Ollama to the internet without authorization is the equivalent to exposing the Docker socket to the public internet, because it can upload files and has model pull and push capabilities (that can be abused by attackers),” Lumelsky noted.
Source: https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html