<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Model-Injection - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/model-injection/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/model-injection/feed.xml" rel="self" type="application/rss+xml"/><item><title>Ollama Server Possible RCE via Malicious Model Loading</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-ollama-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-ollama-rce/</guid><description>The detection identifies potential remote code execution attempts on Ollama servers through malicious model loading by monitoring error messages and failure patterns during model loading operations, which could indicate malicious model injection, path traversal attempts, or exploitation of model loading mechanisms, leading to arbitrary code execution on the server.</description><content:encoded><![CDATA[<p>This brief addresses a critical vulnerability in Ollama servers that could lead to remote code execution (RCE). The threat involves attackers attempting to load malicious models onto the server to execute arbitrary code. This is achieved by exploiting vulnerabilities in the model loading process or by injecting specially crafted models designed to trigger server errors and allow code execution. The detection focuses on identifying unusual error patterns during model loading, such as crashes, failures related to &quot;llama runner,&quot; and model-specific errors. This activity may originate from an external threat actor or a malicious insider attempting to compromise the Ollama server. Successful exploitation allows the attacker to gain full control of the server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an Ollama server with accessible model loading functionality.</li>
<li>The attacker crafts a malicious model or exploits an existing model.</li>
<li>The attacker initiates a model loading request to the Ollama server.</li>
<li>The Ollama server attempts to load the model.</li>
<li>The malicious model triggers an error within the llama runner component or the model processing logic.</li>
<li>The error leads to a service crash or code execution due to vulnerabilities in the model loader.</li>
<li>The attacker gains remote code execution on the Ollama server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to complete compromise of the Ollama server. The attacker gains the ability to execute arbitrary code, potentially leading to data exfiltration, denial of service, or further lateral movement within the network. The risk is heightened due to the potential for sensitive data stored or processed by the Ollama server to be exposed or manipulated. The number of victims and specific sectors targeted are unknown, but the impact is potentially widespread given the increasing adoption of Ollama servers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>Ollama Possible RCE via Model Loading</code> Sigma rule to your SIEM to detect suspicious model loading errors on Ollama servers.</li>
<li>Review and harden the Ollama server configuration to restrict model loading permissions and validate model integrity.</li>
<li>Implement network segmentation to limit the impact of a compromised Ollama server.</li>
<li>Investigate any detected instances of model loading errors and potential RCE attempts based on the Sigma rule output.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ollama</category><category>rce</category><category>model-injection</category></item></channel></rss>