Ollama AI Framework Vulnerabilities: DoS, Model Theft, and Poisoning Possible

November 4, 2024

Security researchers have unveiled six significant security vulnerabilities within the Ollama artificial intelligence (AI) framework. These vulnerabilities could be manipulated by a malicious actor to perform a variety of damaging actions, including denial-of-service (DoS) attacks, model poisoning, and model theft. "Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," stated Avi Lumelsky, a researcher at Oligo Security.

Ollama is an open-source software that enables users to locally deploy and operate large language models (LLMs) on various operating systems, including Windows, Linux, and macOS. The project's repository on GitHub has been copied 7,600 times so far. A brief overview of the six vulnerabilities has been provided.

The maintainers of Ollama have advised users to control which endpoints are exposed to the internet through a proxy or a web application firewall for the two unresolved vulnerabilities. Lumelsky warned, "Meaning that, by default, not all endpoints should be exposed. That's a dangerous assumption. Not everybody is aware of that, or filters http routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any separation or documentation to back it up."

Oligo discovered 9,831 unique internet-facing instances running Ollama, with most of them located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One in four internet-facing servers has been found vulnerable to the identified flaws.

This revelation follows the disclosure of a severe flaw (CVE-2024-37032) impacting Ollama by cloud security firm Wiz over four months ago, which could have been exploited for remote code execution. Lumelsky noted, "Exposing Ollama to the internet without authorization is the equivalent to exposing the docker socket to the public internet, because it can upload files and has model pull and push capabilities (that can be abused by attackers)."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.