Ollama provides a framework to run large language models locally on desktops or servers. Over 1,100 Ollama servers are publicly accessible, with roughly 20 percent actively hosting models susceptible to unauthorized access. A Shodan scan discovered more than 1,000 exposed servers within ten minutes. Public exposure allows anyone to query LLMs and use exposed APIs, risking resource exhaustion and unexpected hosting costs, and enabling targeted attacks through exposed host-identifying information. Threats include model extraction, jailbreaking and content abuse, and backdoor injection or model poisoning. About 80 percent of exposed servers were dormant but remain vulnerable to unauthorized uploads or configuration manipulation.
Ollama provides a framework that makes it possible to run large language models locally, on a desktop machine or server. Cisco decided to research it because, in the words of Senior Incident Response Architect Dr. Giannis Tziakouris, Ollama has "gained popularity for its ease of use and local deployment capabilities." Talos researchers used the Shodan scanning tool to find unsecured Ollama servers, and spotted over 1,100, around 20 percent of which are "actively hosting models susceptible to unauthorized access."
Cisco's infosec investigators also worry about the following consequences: Model Extraction Attacks - Attackers can reconstruct model parameters by querying an exposed ML server repeatedly. Jailbreaking and Content Abuse - LLMs like GPT-4, LLaMA, and Mistral can be manipulated to generate restricted content, including misinformation, malware code, or harmful outputs. Backdoor Injection and Model Poisoning - Adversaries could exploit unsecured model endpoints to introduce malicious payloads or load untrusted models remotely.
Cisco classified 80 percent of the open Ollama servers it spotted as "dormant" because they were not running any models, meaning the above attacks would be futile. The bad news is that those servers "remain susceptible to exploitation via unauthorized model uploads or configuration manipulation."
Collection
[
|
...
]