VTA-004499 – Six Major Vulnerabilities Discovered in Ollama AI Framework: Risks of Model Theft, Poisoning, and Denial-of-Service

Ollama, an open-source application for deploying and operating large language models (LLMs) on local devices (Windows, Linux, macOS), has gained popularity for enabling locally hosted AI deployments without cloud dependence. However, recent findings by cybersecurity researchers have uncovered six critical vulnerabilities in Ollama, raising significant security concerns. These vulnerabilities potentially open the door for attackers to execute harmful actions like denial-of-service (DoS), model poisoning, and model theft.

Among the identified vulnerabilities are CVE-2024-39719, with a CVSS score of 7.5, which targets the /api/create endpoint to check file existence on the server, now fixed in version 0.1.47. Another, CVE-2024-39720 (CVSS 8.2), involves an out-of-bounds read error in /api/create that can crash the app, addressed in version 0.1.46. CVE-2024-39721 (CVSS 7.5) involves resource exhaustion by repeated requests to /api/create, patched in version 0.1.34. CVE-2024-39722 (CVSS 7.5), a path traversal flaw in /api/push, exposes the server’s directory structure and was also fixed in version 0.1.46.

Two vulnerabilities remain unresolved. One allows model poisoning via the /api/pull endpoint from untrusted sources, while the other enables model theft through the /api/push endpoint to untrusted destinations.

In response, Ollama’s maintainers recommend restricting endpoint exposure through a proxy or web application firewall. Security firm Oligo discovered multiple instances of Ollama exposed to the internet, notably in countries like China, the U.S., Germany, and South Korea. This disclosure follows a previously reported serious flaw (CVE-2024-37032) by Wiz, which could lead to remote code execution on Ollama.

The vulnerabilities underscore the need for secure configurations in deploying AI models locally. Leaving Ollama instances publicly exposed is similar to exposing the Docker socket open to the internet, given Ollama’s file upload and model handling capabilities that attackers could potentially exploit.

Severity:
Medium

Attack Surface:
Endpoint, Web Application

Tactics:
Credential Access, Discovery, Impact, Initial Access

Techniques:
T1111 – Two-Factor Authentication Interception
T1553 – Subvert Trust Controls
T1566 – Phishing
T1083 – File and Directory Discovery
T1005 – Data from Local System,
T1499 – Endpoint Denial of Service
T1082 – System Information Discovery
T1565 – Data Manipulation
T1537 – Transfer Data to Cloud Account

References:
1. https://www.oligo.security/blog/more-models-more-probllms

SuperPRO’s Threat Countermeasures Procedures: 
1. Restrict access to Ollama endpoints by placing them behind a proxy or a web application firewall (WAF). This helps control and monitor incoming requests, reducing exposure to potential attacks.
2. Ensure that Ollama is updated to the latest version to address known vulnerabilities.
3. Ensure that the /api/pull endpoint is configured to only accept models from trusted sources, to prevent potential model poisoning.
4. Limit the /api/push endpoint to trusted destinations only, to prevent unauthorized model theft.

Contributed by: Eddie