Ollama AI Framework Vulnerabilities: DoS, Model Theft, and Poisoning Possible
November 4, 2024
Security researchers have unveiled six significant security vulnerabilities within the Ollama artificial intelligence (AI) framework. These vulnerabilities could be manipulated by a malicious actor to perform a variety of damaging actions, including denial-of-service (DoS) attacks, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," stated Avi Lumelsky, a researcher at Oligo Security.
Ollama is an open-source software that enables users to locally deploy and operate large language models (LLMs) on various operating systems, including Windows, Linux, and macOS. The project's repository on GitHub has been copied 7,600 times so far. A brief overview of the six vulnerabilities has been provided.
The maintainers of Ollama have advised users to control which endpoints are exposed to the internet through a proxy or a web application firewall for the two unresolved vulnerabilities. Lumelsky warned, "Meaning that, by default, not all endpoints should be exposed. That's a dangerous assumption. Not everybody is aware of that, or filters http routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any separation or documentation to back it up."
Oligo discovered 9,831 unique internet-facing instances running Ollama, with most of them located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One in four internet-facing servers has been found vulnerable to the identified flaws.
This revelation follows the disclosure of a severe flaw (CVE-2024-37032) impacting Ollama by cloud security firm Wiz over four months ago, which could have been exploited for remote code execution. Lumelsky noted, "Exposing Ollama to the internet without authorization is the equivalent to exposing the docker socket to the public internet, because it can upload files and has model pull and push capabilities (that can be abused by attackers)."
Related News
Latest News
- Microsoft SharePoint Remote Code Execution Vulnerability Exploited in Corporate Network Breach
- Critical Authentication Vulnerabilities Threaten Smart Factory Equipment
- Critical Zero-Day Vulnerabilities Found in PTZ Cameras: Hackers on the Prowl
- High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers
- Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.