←back to thread

Finding thousands of exposed Ollama instances using Shodan

(blogs.cisco.com)
166 points rldjbpin | 1 comments | 03 Sep 25 08:18 UTC | HN request time: 0s | source
Show context
deadbabe ◴[03 Sep 25 10:06 UTC] No.45114029[source]
The stakes aren’t that high yet for Ollama to warrant cumbersome auth mechanisms.
replies(2): >>45114139 #>>45114224 #
jychang ◴[03 Sep 25 10:24 UTC] No.45114139[source]
Yeah, I don't think most people who even run ollama would care. "Oh no, someone found my exposed instance, which means my computer in my bedroom is burning electricity for the past few hours. Oh well, I lost a few pennies in electricity." Shuts down Ollama on the computer.

Seriously, this is extremely mild as far as issues go. There's basically no incentive to fix this problem, because I bet even the people who lost a few pennies of electricity would still prefer the convenience of ollama not having auth.

Plus, that's the worst case scenario, in real life even if some black hat found an exposed ollama service, they have no interest in generating tokens for <insert random LLM here at 4 bit quant> at a slow speed of <50tok/sec.

replies(3): >>45114209 #>>45114213 #>>45114232 #
dns_snek ◴[03 Sep 25 10:42 UTC] No.45114232[source]
If you think that's the worst case scenario you're in no position to be making security-related decisions. That line of thinking hinges on a very dangerous assumption that Ollama doesn't have any critical security vulnerabilities [1].

Don't expose services to the public internet unless they have been battle hardened to be exposed to the public internet, e.g. Nginx as an authenticating reverse proxy.

[1] https://github.com/advisories/GHSA-vq2g-prvr-rgr4

replies(1): >>45124912 #
_flux ◴[04 Sep 25 08:16 UTC] No.45124912[source]
In general Go programs are quite secure against remote code execution kind class of attacks.

Even this one would be remedied by not running ollama as root and not have its binaries owned by the user it is running as (though overwriting executables/libraries that are being mmapped as executables is usually not possible), which I hope would be the standard mode of its setup.

replies(1): >>45126118 #
dns_snek ◴[04 Sep 25 11:36 UTC] No.45126118[source]
I don't know why you would say that about Go, you're never more than one programming error away from creating a RCE vulnerability, no matter the language. Linked RCE should demonstrate that quite clearly, don't you think?

Either way my point is that software contains vulnerabilities, especially software that hasn't been hardened to be exposed to the public internet. Exposing it to the public internet anyway is a display of bad judgement, doubly so when the person responsible seems to believe that the worst thing that can happen is someone using the software as intended. Details of specific vulnerabilities are really beside the point here.

Assuming that the happy path is the worst that can happen is simply naive, there's no two ways about it.

replies(1): >>45127586 #
1. _flux ◴[04 Sep 25 14:21 UTC] No.45127586[source]
As I understand it, overwhelmingly large majority of CVEs over the history of computing have been due to buffer overflows or use-after-free. If you leave out those vectors, you might actually be pretty close to having RCE-free piece of software.

But sure, it's always possible to be more innovative about how to go about enabling RCEs, like the log4j case demonstrates..