Significant Weaknesses in Ollama AI Framework Might Empower Denial-of-Service, Model Theft, and Poisoning
A group of experts in cybersecurity has revealed six vulnerabilities in the Ollama artificial intelligence (AI) framework that could be utilized by an attacker to carry out different actions, such as denial-of-service attacks, model poisoning, and model theft.
“The vulnerabilities, when combined, could provide an opening for an attacker to execute a variety of malevolent activities through a single HTTP request, which includes denial-of-service (DoS) assaults, model poisoning, model theft, and more,” expressed Oligo Security researcher Avi Lumelsky stated in a report released last week.
Ollama represents an open-source tool that enables users to implement and manage extensive language models (LLMs) locally on operating systems like Windows, Linux, and macOS. The repository of the project on GitHub has been cloned 7,600 times up to now.
A succinct overview of the six vulnerabilities is as follows –
- CVE-2024-39719 (CVSS score: 7.5) – A vulnerability that can be exploited by an attacker through the /api/create endpoint to ascertain the presence of a file on the server (Fixed in version 0.1.47)
- CVE-2024-39720 (CVSS score: 8.2) – An out-of-bounds read vulnerability that may lead to a crash of the application via the /api/create endpoint, which triggers a DoS scenario (Fixed in version 0.1.46)
- CVE-2024-39721 (CVSS score: 7.5) – A vulnerability that triggers resource depletion and consequently a DoS by repetitively invoking the /api/create endpoint while passing the file “/dev/random” as input (Fixed in version 0.1.34)
- CVE-2024-39722 (CVSS score: 7.5) – A vulnerability related to path traversal in the api/push endpoint, revealing the existing files on the server and the entire directory structure where Ollama is deployed (Fixed in version 0.1.46)
- A vulnerability that might induce model poisoning through the /api/pull endpoint from an untrusted source (No CVE identifier, Unpatched)
- A vulnerability that could result in model theft through the /api/push endpoint to an untrusted destination (No CVE identifier, Unpatched)
To address the two outstanding vulnerabilities, the maintainers of Ollama have advised users to regulate which endpoints are accessible via the internet using a proxy or a web application firewall.
“This implies that by default, not all endpoints should be exposed,” highlighted Lumelsky. “This is a hazardous assumption. Not everyone is knowledgeable about this or filters http routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any segregation or documentation to substantiate it.”
Oligo noted that it discovered 9,831 distinct internet-accessible instances running Ollama, with the majority situated in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One out of every four internet-connected servers has been identified as susceptible to the disclosed vulnerabilities.
This development comes in the aftermath of cloud security company Wiz revealing a significant flaw in Ollama (CVE-2024-37032) that could have been leveraged for remote code execution.
“Exposing Ollama to the internet without permission is tantamount to exposing the docker socket to the public network, as it can upload files and possesses model pull and push capabilities (which could be exploited by attackers),” Lumelsky emphasized.
About Author
