The vulnerability could leave AI inference servers open to remote code execution that would allow them to be taken over. Credit: Shutterstock/Jaiz Anuar Security researchers have discovered a critical remote code execution (RCE) flaw in Ollama, an open-source development platform for AI-based projects. Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models. However, a lack of authentication support meant that vulnerable versions of the technology that were exposed to the internet could be hacked, according to cloud security vendor Wiz. Wiz notified Ollama, which reacted promptly by releasing an updated version of the technology — version 0.1.34 — that’s free of the CVE-2024-37032 vulnerability. The flaw was fixed on May 8, but Wiz waited six weeks to go public with its findings. In a technical blog post, Wiz explains how it came across the vulnerability in evaluating Ollama as a means to self-host an internal AI development project involving a large-context AI model. Vulnerability could allow remote code execution While experimenting with Ollama, Wiz discovered it was possible to use a path traversal vulnerability to overwrite files on the server. Further investigation revealed that the vulnerability — which stems from insufficient input validation — could be escalated to achieve full remote code execution. “In Docker installations, it is pretty straightforward to exploit it and achieve remote code execution, as the server runs with root privileges,” according to Wiz. Wiz warned that a large number of Ollama instances running a vulnerable version were exposed to the internet as of June 10. In default Linux installations, the Ollama API server binds to the local host, reducing the risk of attack. However, in Docker-based deployments the API server in publicly exposed and therefore vulnerable to attack. Internet scans by Wiz identified more than 1,000 exposed Ollama server instances hosting numerous AI models, including private models not listed in the Ollama public repository. Ollama is used for self-hosted AI inference, and it supports many models out of the box. It also serves as the backend for common AI projects such as OpenWebUI, among others. Hackers could use flaw to take over self-hosted AI inference servers The Ollama flaw is similar to RCE flaws on other inference servers, including TorchServe and Ray Anyscale, discovered over the last 12 months, according to Wiz. “These vulnerabilities could allow attackers to take over self-hosted AI inference servers, steal or modify AI models, and compromise AI applications, according to Wiz. “The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools.” This lack of authentication support means that an attacker could access the system to either steal or modify AI models. Worse yet, a successful attack could allow an attacker to “execute remote code as a built-in feature,” according to Wiz. The potential for mischief is extensive. Sagi Tzadik, the Wiz researcher who discovered the vulnerability, told CSO: “An attacker would be able to covertly leak private models, spy on user prompts, alter their responses, ransom the whole system, and even gain a foothold in the internal network. Once exploited, the machine is compromised.” Authentication shortcomings create potential exposure The lack of maturity for the class of technology makes it prudent to deploy additional security controls beyond applying Ollama’s patch, Wiz advised. Ollama setups should be isolated from the internet. “The Ollama project is still in its early stages and does not support critical security features, like authentication,” Wiz’s Tzadik told CSO. “Even with the latest version running, attackers can obtain the AI models used on the Ollama server and even run them using the victim’s compute power. Tzadik added: “We recommend using a reverse proxy to add an authentication layer on top of Ollama or connecting Ollama directly to the AI application.” Organizations are rapidly adopting a variety of new AI tools and infrastructure in an attempt to gain a competitive edge. Unfortunately, standardized security features, such as authentication, are lagging behind functionality in the development of these platforms, according to Wiz. Ollama did not immediately respond to requests from CSO for comment on the vulnerability and advice for users about what they need to do. Related: Chinese hackers exploit Ivanti VPN zero days for RCE attacks 6 known RCE vulnerabilities in enterprise VPNs and how to minimize the risk Fortinet urges patching N-day bug amid ongoing nation-state exploitation Related content news New critical Apache OFBiz vulnerability patched as older flaw is actively exploited Researchers discovered a new RCE flaw while analyzing the patch for a different flaw currently targeted by attackers. As the fifth critical flaw this year for the ERP framework, users are urged to update ASAP. By Lucian Constantin 05 Aug 2024 3 mins Open Source Vulnerabilities news Docker re-fixes a critical authorization bypass vulnerability Although a patch was issued for a previous version, subsequent versions did not include it, leading to regression. By Shweta Sharma 25 Jul 2024 3 mins Open Source Vulnerabilities news Known SSH-Snake bites more victims with multiple OSS exploitation The threat actor uses a multitude of open-source software tools to find and exploit vulnerabilities within victim systems. By Shweta Sharma 12 Jul 2024 3 mins Malware Open Source feature Top 10 open source software security risks — and how to mitigate them Open source software is the bedrock of modern software development, but it can also be a weak link in the software supply chain. Here are the biggest risks — and tips on how to safely use OSS components. By Chris Hughes 12 Jul 2024 11 mins Open Source Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe