Most active commenters

    ←back to thread

    Finding thousands of exposed Ollama instances using Shodan

    (blogs.cisco.com)
    166 points rldjbpin | 12 comments | 03 Sep 25 08:18 UTC | HN request time: 0.67s | source | bottom
    1. deadbabe ◴[03 Sep 25 10:06 UTC] No.45114029[source]
    The stakes aren’t that high yet for Ollama to warrant cumbersome auth mechanisms.
    replies(2): >>45114139 #>>45114224 #
    2. jychang ◴[03 Sep 25 10:24 UTC] No.45114139[source]
    Yeah, I don't think most people who even run ollama would care. "Oh no, someone found my exposed instance, which means my computer in my bedroom is burning electricity for the past few hours. Oh well, I lost a few pennies in electricity." Shuts down Ollama on the computer.

    Seriously, this is extremely mild as far as issues go. There's basically no incentive to fix this problem, because I bet even the people who lost a few pennies of electricity would still prefer the convenience of ollama not having auth.

    Plus, that's the worst case scenario, in real life even if some black hat found an exposed ollama service, they have no interest in generating tokens for <insert random LLM here at 4 bit quant> at a slow speed of <50tok/sec.

    replies(3): >>45114209 #>>45114213 #>>45114232 #
    3. ekianjo ◴[03 Sep 25 10:38 UTC] No.45114209[source]
    That is assuming you cannot exploit the server to get access to the machine...
    4. 42lux ◴[03 Sep 25 10:40 UTC] No.45114213[source]
    Is that agency over yourself called vibe living?
    5. reilly3000 ◴[03 Sep 25 10:41 UTC] No.45114224[source]
    If any MCP servers are running, anyone with access to query the chat endpoint can use them. That could include file system access, GitHub tokens and more.
    replies(3): >>45114274 #>>45114972 #>>45115474 #
    6. dns_snek ◴[03 Sep 25 10:42 UTC] No.45114232[source]
    If you think that's the worst case scenario you're in no position to be making security-related decisions. That line of thinking hinges on a very dangerous assumption that Ollama doesn't have any critical security vulnerabilities [1].

    Don't expose services to the public internet unless they have been battle hardened to be exposed to the public internet, e.g. Nginx as an authenticating reverse proxy.

    [1] https://github.com/advisories/GHSA-vq2g-prvr-rgr4

    replies(1): >>45124912 #
    7. jangxx ◴[03 Sep 25 10:49 UTC] No.45114274[source]
    ollama can't connect to MCP servers, it can merely run models which output instructions back to a connected system to connect to an MCP server (e.g mcphost using ollama to run a prompt and then itself connecting to an MCP server if the response requires it).
    8. stoneyhrm1 ◴[03 Sep 25 12:35 UTC] No.45114972[source]
    The LLM endpoint via ollama or huggingface is not the one executing MCP tool calls, that is on behalf of the client that is interacting with the LLM. All the LLM does is take input as a prompt and produce a text output, that's it. Anything else is just a wrapper.
    9. deadbabe ◴[03 Sep 25 13:23 UTC] No.45115474[source]
    That is is completely false, ollama has nothing to do with running commands, it just processes prompts to text responses.
    10. _flux ◴[04 Sep 25 08:16 UTC] No.45124912{3}[source]
    In general Go programs are quite secure against remote code execution kind class of attacks.

    Even this one would be remedied by not running ollama as root and not have its binaries owned by the user it is running as (though overwriting executables/libraries that are being mmapped as executables is usually not possible), which I hope would be the standard mode of its setup.

    replies(1): >>45126118 #
    11. dns_snek ◴[04 Sep 25 11:36 UTC] No.45126118{4}[source]
    I don't know why you would say that about Go, you're never more than one programming error away from creating a RCE vulnerability, no matter the language. Linked RCE should demonstrate that quite clearly, don't you think?

    Either way my point is that software contains vulnerabilities, especially software that hasn't been hardened to be exposed to the public internet. Exposing it to the public internet anyway is a display of bad judgement, doubly so when the person responsible seems to believe that the worst thing that can happen is someone using the software as intended. Details of specific vulnerabilities are really beside the point here.

    Assuming that the happy path is the worst that can happen is simply naive, there's no two ways about it.

    replies(1): >>45127586 #
    12. _flux ◴[04 Sep 25 14:21 UTC] No.45127586{5}[source]
    As I understand it, overwhelmingly large majority of CVEs over the history of computing have been due to buffer overflows or use-after-free. If you leave out those vectors, you might actually be pretty close to having RCE-free piece of software.

    But sure, it's always possible to be more innovative about how to go about enabling RCEs, like the log4j case demonstrates..