A critical remote code execution (RCE) vulnerability, identified as CVE-2024-37032 and named Probllama by Wiz, has been disclosed in the Ollama open-source AI infrastructure platform. This flaw, discovered by cybersecurity researchers and promptly patched in version 0.1.34 on May 7, 2024, stems from insufficient input validation. It allows attackers to manipulate the “/api/pull” endpoint to upload a malicious model manifest file containing a path traversal payload. Exploitation of this vulnerability could lead to arbitrary file overwrites, including sensitive configuration files like “etc/ld.so.preload,” potentially enabling attackers to execute malicious code remotely.
While default Linux installations mitigate some risk by binding the API server to localhost, Docker deployments are at higher risk due to their public exposure. In such cases, the Ollama API server runs with root privileges and listens on “0.0.0.0,” facilitating remote exploitation. Security researcher Sagi Tzadik underscores the severity of this issue in Docker environments, where attackers could compromise AI models and inference servers without authentication safeguards.
The vulnerability underscores broader concerns about AI infrastructure security, especially regarding open-source tools lacking sufficient authentication and access controls. Wiz’s discovery of over 1,000 exposed Ollama instances highlights the widespread potential impact of CVE-2024-37032. Researchers emphasize the importance of immediate updates and additional security measures, such as implementing reverse proxies with authentication, to mitigate the risk of exploitation and protect against unauthorized access to AI models and infrastructure.
Reference:
