Ollama drama as 'easy-to-exploit' critical flaw found in open source AI server

A now-patched vulnerability in Ollama – a popular open source project for running LLMs – can lead to remote code execution, according to flaw finders who warned that upwards of 1,000 vulnerable instances remain exposed to the internet.

Wiz Research disclosed the flaw, tracked as CVE-2024-37032 and dubbed Probllama, on May 5 and its maintainers fixed the issue in version 0.1.34 that was released via GitHub a day later.

Ollama is useful for performing inference with compatible neural networks – such as Meta's Llama family, hence the name; Microsoft's Phi clan; and models from Mistral – and it can be used on the command line or via a REST API. It has hundreds of thousands of monthly pulls on Docker Hub.

In a report published today, the Wiz bug hunting team's Sagi Tzadik said the vulnerability is due to insufficient validation on the server side of that REST API provided by Ollama. An attacker could exploit the flaw by sending a specially crafted HTTP request to the Ollama API server — and in Docker installations, at least, the API server is publicly exposed.

• In the rush to build AI apps, please, please don't leave security behind
• Psst, hey. It's the NSA. You want some AI security advice?
• AI hallucinates software packages and devs download them – even if potentially poisoned with malware
• Bake an LLM with custom prompts into your app? Sure! Here's how to get started

The Ollama server provides multiple API endpoints that perform core functions. This includes the API endpoint /api/pull that lets users download models from the Ollama registry as well as private registries. As the researchers found, the process to trigger the download of a model was exploitable, allowing miscreants to potentially compromise the environment hosting a vulnerable Ollama server.

"What we found is that when pulling a model from a private registry (by querying the http://[victim]:11434/api/pull API endpoint), it is possible to supply a malicious manifest file that contains a path traversal payload in the digest field," Tzadik explained. 

An attacker could then use that payload to corrupt files on the system, achieve arbitrary file read, and ultimately remote code execution (RCE) to hijack that system.

"This issue is extremely severe in Docker installations, as the server runs with root privileges and listens on 0.0.0.0 by default – which enables remote exploitation of this vulnerability," Tzadik emphasized.

And despite a patched version of the project being available for over a month, the Wiz kids found that, as of June 10, there were more than 1,000 of vulnerable Ollama server instances still exposed to the internet. In light of this, there's a couple things anyone using Ollama should do to protect their AI applications.

First, which should go without saying, update instances to version 0.1.34 or newer. Also, as Ollama doesn't inherently support authentication, do not expose installations to the internet unless using some sort of authentication, such as a reverse-proxy. Even better, don't allow the internet to reach the server at all, put it behind firewalls, and only allow authorized internal applications and their users to access it.

"The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools," Tzadik noted, referring to previous RCEs in other tools used to deploy LLMs including TorchServe and Ray Anyscale.

Plus, he added, even those these tools are new and often written in modern safety-first programming languages, "classic vulnerabilities such as path traversal remain an issue." ®