Critical Out-of-Bounds Read Vulnerability in Ollama AI Framework Exposes Systems to Potential Attacks
Cybersecurity experts have identified a significant security flaw within the Ollama artificial intelligence (AI) framework, which could be exploited by malicious actors to execute various attacks, including denial-of-service (DoS), model theft, and model poisoning. This vulnerability, cataloged as CVE-2024-39720 with a CVSS score of 8.2, is an out-of-bounds read issue that can cause the application to crash, leading to a DoS condition. ([thehackernews.com](https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html?utm_source=openai))
Ollama is an open-source platform that enables users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its GitHub repository has been forked over 7,600 times, indicating its widespread use and significance in the AI community. ([thehackernews.com](https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html?utm_source=openai))
The vulnerability resides in the `/api/create` endpoint of the Ollama API server. By sending specially crafted HTTP requests to this endpoint, an attacker can exploit the out-of-bounds read flaw, causing the application to crash and resulting in a denial-of-service condition. This issue was addressed in version 0.1.46 of Ollama, released on November 4, 2024. ([thehackernews.com](https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html?utm_source=openai))
In addition to CVE-2024-39720, researchers have disclosed five other vulnerabilities in the Ollama framework:
1. CVE-2024-39719 (CVSS score: 7.5):
– Description: An attacker can exploit the `/api/create` endpoint to determine the existence of a file on the server.
– Fix: Addressed in version 0.1.47.
2. CVE-2024-39721 (CVSS score: 7.5):
– Description: Repeatedly invoking the `/api/create` endpoint with the file `/dev/random` as input can cause resource exhaustion, leading to a DoS condition.
– Fix: Addressed in version 0.1.34.
3. CVE-2024-39722 (CVSS score: 7.5):
– Description: A path traversal vulnerability in the `/api/push` endpoint exposes files and the entire directory structure on the server.
– Fix: Addressed in version 0.1.46.
4. Model Poisoning Vulnerability:
– Description: The `/api/pull` endpoint can be exploited to pull malicious models from untrusted sources, leading to model poisoning.
– Fix: Unpatched; users are advised to filter exposed endpoints using a proxy or web application firewall.
5. Model Theft Vulnerability:
– Description: The `/api/push` endpoint can be exploited to push models to untrusted targets, leading to model theft.
– Fix: Unpatched; users are advised to filter exposed endpoints using a proxy or web application firewall.
Security researchers have emphasized the severity of these vulnerabilities, noting that they could allow an attacker to perform a wide range of malicious actions with a single HTTP request, including DoS attacks, model poisoning, and model theft. ([thehackernews.com](https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html?utm_source=openai))
Oligo Security, the firm that disclosed these vulnerabilities, found nearly 10,000 unique internet-facing instances running Ollama, with a significant number located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. Approximately 25% of these servers were deemed vulnerable to the identified flaws. ([thehackernews.com](https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html?utm_source=openai))
Given the critical nature of these vulnerabilities, it is imperative for organizations using Ollama to update their installations to the latest versions and implement recommended security measures to mitigate potential risks.
