A potential risk in the fc-stable-diffuson can be used to escalate permission.

[zolaer9527]

Hello! I found a potential risk in the fc-stable-diffuson when I deployed it in the Alibaba Cloud Serverless Application Center. The service of the application has the role of excessive permission. A malicious can leverage the permissions of the aliyunfcserverlessdevsrole to escalate permission.

Details Analysis
After the application was deployed, it created a service named fc-stable-diffusion-plus. This service has two functions that are sd and admin. They all inherit the role of fc-stable-diffusion-plus. This role named aliyunfcserverlessdevsrole is the default role for the Serverless Application Center to create the resources of the application, which is an application role, not a service role. This role is a role that every application will use in the application center during creation. It cannot be replaced and can only add corresponding policies. Therefore, after deploying many applications, the permissions of this role will be very high. It should not be used as a service role by the services created by the applications. The service should use the default role for function compute, which is aliyunfcdefaultrole. So a malicious user who controls this function can escalate privilege by leveraging the aliyunfcserverlessdevsrole having excessive permission.

Attack Scenario
Assuming such an attack scenario, in a company, there are two employees Bob and Alice, and the company has an Alibaba Cloud account. The two employees are two RAM users in the account. Bob's RAM user only has the relevant permissions for Function Compute, while Alice's RAM user has administrator permissions. Alice has created the fc-llm-api application through the serverless application center in the account. In that way, Bob can use the permissions related to Function Compute to obtain the AccessKeyID, AccessKeySecret, and SecurityToken of the role used by the service in the fc-stable-diffusion-plus, thereby causing permission escalation.

Mitigation Discussion
The service should use the default role for function compute, not the default role for Serverless Application Center. In other words, the service should use the aliyunfcdefaultrole, not the aliyunfcserverlessdevsrole.

Question

1. Is it a real issue in the fc-stable-diffuson?
2. If it's a real issue, can any of my suggestions be used to solve this problem?
3. If my suggestions could be used to solve this problem, could you give me a CVE number to award my discovery?

By the way, I have sent an email to service@serverlessfans.com according to your CONTRIBUTING.md, but it said the email doesn't exist. So I have to raise an issue to report this issue to you. I apologize for any inconvenience caused to you.

[zolaer9527]

Hello, are there any updates?

[zxypro1]

@lowkeyrd Please check. Also, for Alibaba Cloud issues, its better to report via aliyun.com website.

[zolaer9527]

I'm sorry for the inconvenience caused to you. I found this report way in the source code of the fc-stable-diffuson application. It said, "您如果有关于错误的反馈或者未来的期待，您可以在 Serverless Devs repo Issues 中进行反馈和交流。"

I'm very sorry again. If possible, could you help me find the correct report way about Alibaba Cloud issues?

[zxypro1]

https://fcnext.console.aliyun.com/self-service or join Dingding group 11721331.

[zolaer9527]

Thank you for your help. I will report the issue through the Dingding group, and I would greatly appreciate it if you could help confirm the potential security issue here.