Major Remote Code Execution Vulnerability Detected in Ollama AI Infrastructure Tool
Experts in cybersecurity have outlined a critical security loophole, now patched, affecting the Ollama open-source platform for artificial intelligence (AI) infrastructure. This flaw had the potential for achieving remote code execution.
Identified as CVE-2024-37032, this vulnerability was named Probllama by cloud security company Wiz. The issue was resolved in version 0.1.34, released on May 7, 2024, following responsible disclosure on May 5, 2024.
Ollama operates as a utility for bundling, deploying, and running extensive language models (LLMs) on local Windows, Linux, and macOS systems.
At its center, the problem hinges on inadequate validation of input, leading to a path traversal vulnerability that malicious actors could leverage to overwrite files of their choosing on the server, with the ultimate goal of remote code execution.
For successful exploitation, malevolent entities need to send meticulously crafted HTTP requests to the Ollama API server.
Specifically, this exploit takes advantage of the API endpoint “/api/pull,” designed for downloading a model from the official registry or a private repository. Attackers could inject a malicious model manifest file, containing a path traversal payload in the digest field.
This loophole not only facilitates the tampering of specific files on the system but also permits remote code execution by overwriting a configuration file (“etc/ld.so.preload”) linked with the dynamic linker (“ld.so”) to include an unauthorized shared library and running it before any program execution.
Although the risk of remote code execution is notably lower in standard Linux setups, given that the API server binds to localhost, the reverse is true for docker deployments where the API server is visibly exposed.
“This vulnerability poses a significant threat in Docker setups where the server operates with ‘root’ privileges and listens on ‘0.0.0.0’ by default – allowing attackers to exploit it remotely,” remarked security analyst Sagi Tzadik mentioned.
Furthermore, the absence of authentication in Ollama adds to the severity, enabling malicious agents to exploit a publicly-accessible server to pilfer or tamper with AI models and infiltrate self-hosted AI inference servers.
To address this, it’s crucial to secure such services with protection mechanisms like reverse proxies that have built-in authentication features. Wiz reported identifying more than 1,000 unprotected Ollama instances hosting various AI models.
“CVE-2024-37032 represents an easily exploitable case of remote code execution that impacts contemporary AI infrastructure,” Tzadik emphasized. “Despite being relatively new and developed in modern programming languages, the presence of traditional vulnerabilities like Path Traversal poses ongoing threats.”
These revelations emerge as Protect AI, a company specializing in AI security, issued alerts regarding over 60 security vulnerabilities in various open-source AI/ML tools. These vulnerabilities entail critical risks such as information disclosure, unauthorized access to restricted resources, elevation of privileges, and complete system control.
One of the most critical vulnerabilities identified is CVE-2024-22476 (CVSS score 10.0), an SQL injection weakness present in the Intel Neural Compressor software, enabling attackers to download any files from the host system. This flaw was mitigated in version 2.5.0.
About Author
