byJohn Leyden
News
Jun 25, 20244 mins
HackingOpen SourceVulnerabilities
The vulnerability could leave AI inference servers open to remote code execution that would allow them to be taken over.
Security researchers have discovered a critical remote code execution (RCE) flaw in Ollama, an open-source development platform for AI-based projects.
Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models. However, a lack of authentication support meant that vulnerable versions of the technology that were exposed to the internet could be hacked, according to cloud security vendor Wiz.
Wiz notified Ollama, which reacted promptly by releasing an updated version of the technology — version 0.1.34 — that’s free of the CVE-2024-37032 vulnerability. The flaw was fixed on May 8, but Wiz waited six weeks to go public with its findings.
In a technical blog post, Wiz explains how it came across the vulnerability in evaluating Ollama as a means to self-host an internal AI development project involving a large-context AI model.
Vulnerability could allow remote code execution
While experimenting with Ollama, Wiz discovered it was possible to use a path traversal vulnerability to overwrite files on the server. Further investigation revealed that the vulnerability — which stems from insufficient input validation — could be escalated to achieve full remote code execution.
“In Docker installations, it is pretty straightforward to exploit it and achieve remote code execution, as the server runs with root privileges,” according to Wiz.
Wiz warned that a large number of Ollama instances running a vulnerable version were exposed to the internet as of June 10. In default Linux installations, the Ollama API server binds to the local host, reducing the risk of attack. However, in Docker-based deployments the API server in publicly exposed and therefore vulnerable to attack.
Internet scans by Wiz identified more than 1,000 exposed Ollama server instances hosting numerous AI models, including private models not listed in the Ollama public repository.
Ollama is used for self-hosted AI inference, and it supports many models out of the box. It also serves as the backend for common AI projects such as OpenWebUI, among others.
Hackers could use flaw to take over self-hosted AI inference servers
The Ollama flaw is similar to RCE flaws on other inference servers, including TorchServe and Ray Anyscale, discovered over the last 12 months, according to Wiz. “These vulnerabilities could allow attackers to take over self-hosted AI inference servers, steal or modify AI models, and compromise AI applications, according to Wiz.
“The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools.”
This lack of authentication support means that an attacker could access the system to either steal or modify AI models. Worse yet, a successful attack could allow an attacker to “execute remote code as a built-in feature,” according to Wiz.
The potential for mischief is extensive. Sagi Tzadik, the Wiz researcher who discovered the vulnerability, told CSO: “An attacker would be able to covertly leak private models, spy on user prompts, alter their responses, ransom the whole system, and even gain a foothold in the internal network. Once exploited, the machine is compromised.”
Authentication shortcomings create potential exposure
The lack of maturity for the class of technology makes it prudent to deploy additional security controls beyond applying Ollama’s patch, Wiz advised. Ollama setups should be isolated from the internet.
“The Ollama project is still in its early stages and does not support critical security features, like authentication,” Wiz’s Tzadik told CSO. “Even with the latest version running, attackers can obtain the AI models used on the Ollama server and even run them using the victim’s compute power.
Tzadik added: “We recommend using a reverse proxy to add an authentication layer on top of Ollama or connecting Ollama directly to the AI application.”
Organizations are rapidly adopting a variety of new AI tools and infrastructure in an attempt to gain a competitive edge. Unfortunately, standardized security features, such as authentication, are lagging behind functionality in the development of these platforms, according to Wiz.
Ollama did not immediately respond to requests from CSO for comment on the vulnerability and advice for users about what they need to do.
Related:
- Chinese hackers exploit Ivanti VPN zero days for RCE attacks
- 6 known RCE vulnerabilities in enterprise VPNs and how to minimize the risk
- Fortinet urges patching N-day bug amid ongoing nation-state exploitation
Related content
- newsTeamViewer targeted by APT29 hackers, containment measures in place TeamViewer says the attack targeted its corporate network, not customer data or product functionality.By gyana_swainJun 28, 20243 minsCyberattacksRemote Access Security
- featureTop 12 cloud security certifications Cloud security certifications can give your career a boost. Covering rapidly evolving technologies such as AI, market challengers such as Alibaba Cloud, and areas previously overlooked, these are your best bets.By Eric FrankJun 28, 202414 minsCertificationsIT SkillsCloud Security
- featureThe CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you.By CSO StaffJun 28, 202410 minsTechnology IndustryIT SkillsEvents
- newsCyberattackers are using more new malware, attacking critical infrastructure Between January and March of this year, there was a 40% increase in new malware over the previous reporting period, with critical infrastructure the biggest target, according to BlackBerry's Global Threat Intelligence Report.By Lynn GreinerJun 27, 20242 minsCyberattacksMalware
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
