CVE-2024-45436 Overview
CVE-2024-45436 is a path traversal vulnerability (also known as "Zip Slip") discovered in Ollama, the popular open-source framework for running large language models (LLMs) locally. The vulnerability exists in the extractFromZipFile function within model.go, which allows extraction of ZIP archive members outside of the intended parent directory. This flaw can be exploited by attackers to write arbitrary files to the filesystem, potentially leading to unauthorized data access or further system compromise.
Critical Impact
Remote attackers can exploit this vulnerability without authentication to extract malicious files outside the intended directory, potentially overwriting critical system files or gaining unauthorized access to sensitive data on systems running vulnerable Ollama versions.
Affected Products
- Ollama versions prior to 0.1.47
- All installations using the vulnerable extractFromZipFile function in model.go
- Systems importing or processing untrusted model archives
Discovery Timeline
- 2024-08-29 - CVE-2024-45436 published to NVD
- 2024-08-30 - Last updated in NVD database
Technical Details for CVE-2024-45436
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly referred to as a "Zip Slip" attack. The extractFromZipFile function in Ollama's model.go fails to properly validate file paths contained within ZIP archives before extraction. When processing a maliciously crafted ZIP file, the function does not sanitize relative path components such as ../ sequences, allowing an attacker to traverse outside the intended extraction directory.
The vulnerability is remotely exploitable over the network without requiring any user interaction or prior authentication. It primarily impacts the confidentiality of the affected system, as attackers can potentially read sensitive files or overwrite existing files with malicious content.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the ZIP extraction logic. The extractFromZipFile function in model.go does not properly check whether the resolved file path remains within the designated extraction directory. This allows ZIP entries containing path traversal sequences (e.g., ../../etc/passwd or ../../../sensitive_file) to escape the sandbox and write files to arbitrary locations on the filesystem.
Attack Vector
The attack vector is network-based, requiring an attacker to supply a maliciously crafted ZIP archive to a vulnerable Ollama instance. This could occur through:
- Malicious Model Distribution: An attacker creates a model archive containing path traversal sequences in file names
- Import/Upload Functionality: When Ollama processes the archive, it extracts files without validating their destination paths
- Arbitrary File Write: Files are written outside the intended directory, potentially overwriting system files or placing malicious content in sensitive locations
The vulnerability allows extraction of archive members to arbitrary filesystem locations. When a ZIP file containing entries with path traversal sequences like ../../../etc/cron.d/malicious is processed, the extraction routine follows the relative path, escaping the intended extraction directory and writing files to unintended locations. See the GitHub Pull Request Discussion for additional technical details about the fix implementation.
Detection Methods for CVE-2024-45436
Indicators of Compromise
- Unexpected files appearing outside of Ollama's designated model directories
- Presence of files with suspicious names or content in system directories that shouldn't be modified by Ollama
- Log entries showing extraction of files to paths containing ../ sequences
- Modifications to cron jobs, startup scripts, or configuration files that coincide with model imports
Detection Strategies
- Monitor file creation events outside of Ollama's expected working directories during model import operations
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Review Ollama logs for any evidence of path traversal attempts during ZIP extraction
- Use endpoint detection tools to alert on suspicious file writes following model import activities
Monitoring Recommendations
- Deploy SentinelOne agents to monitor for anomalous file system activity associated with the Ollama process
- Configure alerts for file creations by Ollama processes in directories outside /usr/share/ollama, ~/.ollama, or other legitimate model storage paths
- Monitor for processes spawned from files unexpectedly written by Ollama
- Review system logs for any indicators of exploitation following model downloads or imports
How to Mitigate CVE-2024-45436
Immediate Actions Required
- Upgrade Ollama to version 0.1.47 or later immediately
- Audit systems for any signs of compromise, particularly unexpected files in sensitive directories
- Review recently imported models for potential malicious content
- Restrict network access to Ollama instances until patching is complete
Patch Information
The vulnerability has been addressed in Ollama version 0.1.47. The fix implements proper path validation in the extractFromZipFile function to ensure extracted files remain within the intended parent directory. Detailed information about the patch can be found in the GitHub Release Notes and the GitHub Pull Request Discussion.
Organizations should upgrade to version 0.1.47 or later as soon as possible.
Workarounds
- If immediate patching is not possible, restrict Ollama's file system permissions to limit the impact of potential exploitation
- Run Ollama in a containerized environment with strict volume mount restrictions
- Implement network segmentation to limit which systems can interact with Ollama instances
- Only import models from trusted, verified sources until the upgrade can be applied
# Upgrade Ollama to patched version
# Using the official install script
curl -fsSL https://ollama.com/install.sh | sh
# Verify the installed version
ollama --version
# Should show 0.1.47 or later
# If using Docker, update to the latest image
docker pull ollama/ollama:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
