Critical Vulnerabilities Found in Ollama AI Framework: Risks of DoS, Model Poisoning, and Theft 2024

Vulnerabilities in Ollama AI Framework

Cybersecurity researchers have revealed six significant vulnerabilities in the Ollama AI framework that could be exploited by malicious actors for a range of harmful activities, including denial-of-service (DoS) attacks, model poisoning, and model theft. These vulnerabilities pose serious risks for users deploying the open-source application, which enables local operation of large language models (LLMs) on various operating systems such as Windows, Linux, and macOS.

The identified vulnerabilities can be exploited collectively through a single HTTP request, making the potential for attacks particularly alarming. Oligo Security’s investigation found that these risks highlight critical oversights in the framework’s default configurations.

A closer examination of the vulnerabilities reveals the following:

1. CVE-2024-39719 (CVSS score: 7.5): This vulnerability allows attackers to determine the existence of files on the server through the /api/create endpoint. A fix was implemented in version 0.1.47.
2. CVE-2024-39720 (CVSS score: 8.2): An out-of-bounds read vulnerability that can cause the application to crash, leading to a DoS situation via the /api/create endpoint. This flaw was addressed in version 0.1.46.
3. CVE-2024-39721 (CVSS score: 7.5): This vulnerability can cause resource exhaustion and ultimately result in a DoS condition when continuously invoking the /api/create endpoint with “/dev/random” as input. This issue was patched in version 0.1.34.
4. CVE-2024-39722 (CVSS score: 7.5): A path traversal vulnerability within the api/push endpoint that exposes server files and the entire directory structure in which Ollama operates. This was fixed in version 0.1.46.
5. Unpatched Vulnerability: A potential model poisoning risk exists through the /api/pull endpoint when interacted with an untrusted source, with no CVE identifier assigned.
6. Unpatched Vulnerability: Another considerable risk involves model theft via the /api/push endpoint directed at an untrusted target, also lacking a CVE identifier.

For the unresolved issues, Ollama maintainers recommend users to limit endpoint exposure to the internet using a proxy or web application firewall. As highlighted by the researchers, this precaution is critical; by default, all endpoints are accessible through the default port of Ollama, which can easily lead to exploitation if not properly managed.

Significantly, Oligo’s research uncovered nearly 10,000 unique internet-facing instances running Ollama, with the majority located in countries such as China, the United States, Germany, South Korea, Taiwan, France, the United Kingdom, India, Singapore, and Hong Kong. Alarmingly, one in four of these internet-facing servers was found to be vulnerable to the reported flaws.

This discovery follows a previous report by a cloud security firm, which disclosed a serious flaw that could lead to remote code execution within the Ollama framework. Researchers have compared exposing Ollama to the internet without proper authorization to exposing sensitive Docker configurations publicly, as it allows for file uploads and misuse of model-pulling and pushing capabilities.

In light of these vulnerabilities, it is crucial for users of the Ollama AI framework to review their configurations and ensure proper security measures are in place to mitigate potential risks.