Critical Vulnerabilities Discovered in Ollama AI Framework

November 5, 2024

cyber security keyboard

Introduction

Cybersecurity researchers have discovered six critical security vulnerabilities within the Ollama AI framework [1] [2]. These vulnerabilities pose significant risks, including denial-of-service (DoS) attacks [1] [2], model poisoning [1] [2], and model theft [1] [2], and can be exploited through a single HTTP request.

Description

Cybersecurity researchers have identified six security vulnerabilities in the Ollama AI framework that could be exploited for denial-of-service (DoS) attacks [1] [2], model poisoning [1] [2], and model theft [1] [2]. These vulnerabilities can be triggered through a single HTTP request [2], allowing attackers to perform a range of malicious actions [2]. The vulnerabilities include:

  1. CVE-2024-39719 (CVSS score: 7.5) – Exploitable via the /api/create endpoint to check for the existence of a file on the server (Fixed in version 0.1.47) [1] [2].
  2. CVE-2024-39720 (CVSS score: 8.2) – An out-of-bounds read vulnerability that can crash the application through the /api/create endpoint, leading to a DoS condition (Fixed in version 0.1.46) [1].
  3. CVE-2024-39721 (CVSS score: 7.5) – Causes resource exhaustion and a DoS when the /api/create endpoint is repeatedly invoked with the file “/dev/random” (Fixed in version 0.1.34).
  4. CVE-2024-39722 (CVSS score: 7.5) – A path traversal vulnerability in the /api/push endpoint that reveals server files and directory structure (Fixed in version 0.1.46).
  5. An unpatched vulnerability that could enable model poisoning via the /api/pull endpoint from untrusted sources [1] [2].
  6. An unpatched vulnerability that could facilitate model theft via the /api/push endpoint to untrusted targets [1] [2].

Ollama maintainers recommend filtering exposed endpoints using a proxy or web application firewall [1] [2], as many users may not be aware of the risks associated with exposing all endpoints [1] [2]. Oligo Security has identified 9,831 unique internet-facing instances of Ollama [1], with a significant number located in countries such as China [1] [2], the US [1] [2], Germany [1] [2], and South Korea [1]. Approximately 25% of these servers are vulnerable to the identified flaws [1] [2]. This follows a previous disclosure of a severe flaw (CVE-2024-37032) that could allow remote code execution [1] [2]. Exposing Ollama to the internet without proper authorization poses significant security risks [1] [2], as it can upload files and has model pull and push capabilities that can be exploited by attackers [1] [2].

Conclusion

The identified vulnerabilities in the Ollama AI framework highlight the critical need for robust security measures. Users are advised to implement protective strategies, such as using proxies or web application firewalls [1] [2], to mitigate potential threats. As the landscape of cybersecurity threats evolves, continuous monitoring and timely updates are essential to safeguard against exploitation and ensure the integrity of AI frameworks.

References

[1] https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html
[2] https://www.ihash.eu/2024/11/critical-flaws-in-ollama-ai-framework-could-enable-dos-model-theft-and-poisoning/