Full Report
Wiz Research discovered CVE-2024-37032, an easy-to-exploit Remote Code Execution vulnerability in the open-source AI Infrastructure project Ollama.
Analysis Summary
# Vulnerability: Probllama - Remote Code Execution in Ollama via Arbitrary File Write
## CVE Details
- CVE ID: CVE-2024-37032
- CVSS Score: Not explicitly provided, but described as "easy-to-exploit Remote Code Execution."
- CWE: Path Traversal (implied through the exploit mechanism involving file writing/manipulation).
## Affected Systems
- Products: Ollama (open-source project for running AI Models)
- Versions: Prior to 0.1.34
- Configurations: Default installations on Linux typically bind to localhost, reducing remote risk. However, **Docker deployments** expose the API server publicly, making them vulnerable to remote exploitation.
## Vulnerability Description
The vulnerability, dubbed "Probllama," is a Remote Code Execution (RCE) flaw stemming from an Arbitrary File Write primitive potentially enabled by a Path Traversal issue. In vulnerable configurations (especially Docker deployments running as `root`), an attacker can achieve RCE by manipulating system libraries. Specifically, the exploit involves:
1. Planting a malicious shared library payload (e.g., `/root/bad.so`) onto the filesystem.
2. Corrupting the `/etc/ld.so.preload` configuration file to include the path to this malicious library.
3. Triggering the Ollama API server (e.g., via the `/api/chat` endpoint) to start a new process, which loads the prepended library, executing the attacker's code with elevated privileges (if running as `root`).
## Exploitation
- Status: PoC available (described in detail for root context)
- Complexity: Low (for root-enabled instances like Docker)
- Attack Vector: Network (via specially crafted HTTP requests to the exposed API server)
## Impact
- Confidentiality: High (Allows execution of arbitrary code, leading to data exfiltration)
- Integrity: High (Allows corruption/modification of system files and models)
- Availability: High (Allows system compromise or denial of service)
## Remediation
### Patches
- Upgrade Ollama to version **0.1.34 or newer**.
### Workarounds
- Do not expose the Ollama API server to the internet without protective middleware, such as a reverse proxy configured with strong authentication.
- Ensure Ollama is not running with `root` privileges, especially in containerized environments, if immediate patching is not possible.
## Detection
- **Indicators of compromise:** Unexpected loading of shared libraries via `/etc/ld.so.preload` or the presence of unknown shared objects in the filesystem.
- **Detection methods and tools:** Wiz customers can utilize pre-built queries in the Wiz Threat Center to scan for vulnerable instances. Monitoring network traffic for unusual HTTP requests to known Ollama API endpoints is also recommended.
## References
- Vendor Advisory: Ollama confirmed the fix shortly after report on May 5, 2024.
- Relevant Links:
- Wiz Research Blog Post: [Contextual information regarding the discovery] ([defanged: https://www.wiz.io/])
- Ollama GitHub Repository (For downloading patched versions): [Check official repository for final release notes] ([defanged: https://github.com/ollama/ollama])