Security researchers from Wiz. details about a vulnerability discovered in Ollama, the open-source infrastructure project designed to simplify the packaging and deployment of AI models.
Ollama was founded to simplify the packaging and deployment of AI models and allow users to run those models efficiently. This is popular among open-source communities and enterprises that leverage AI for various applications, from research and development to production environments.
The vulnerability tracked as CVE-2024-37032, an RCE in Ollama and dubbed “Probllama,” the vulnerability allows an attacker to send specially crafted HTTP requests to an Ollama application programming interface server.
The flaw operates through a mechanism known as path traversal, which exploits insufficient input validation in the API endpoint “/api/pull.” By crafting a malicious file containing a path traversal payload in the digest field, an attacker can manipulate the server to overwrite arbitrary files on the system.
Rhe vulnerability can be exploited to gain full remote code execution. By corrupting crucial system files, such as “/etc/ld.so.preload,” attackers are able to place malicious code that gets executed whenever a new process starts, giving them control over the server and the ability to compromise the AI models and applications hosted on it.
Wiz’s researchers found that many Ollama instances with the vulnerability were exposed to the internet, posing a significant security risk. Fortunately, though, the Ollama team’s response was highly impressive.
Ollama responded around four hours after Wiz informed it of the vulnerability on May 4 and immediately committed to creating a fix. The fix was released three days later. On May 8 Wiz’s researchers are advising security teams to make sure they’re running patched versions of Ollama to protect against the vulnerability.
