Amazon EMR Secret Agent Kerberos Credential Exposure Vulnerability

A vulnerability exists in the Amazon EMR Secret Agent component, which creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory, where it can be accessed by users with access to that directory and another account. This access could potentially allow for decryption of the keys and escalation to higher privileges. The issue affects Amazon EMR versions 6.10 through 7.4. The vulnerability arises when clusters use Lake Formation, Apache Ranger, runtime role, or Identity Center features that rely on the Secret Agent component.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Kerberos credentials, allowing for privilege escalation on the affected system.

Remediation

Users are advised to upgrade to Amazon EMR version 7.5 or higher. For those on Amazon EMR releases between 6.10 and 7.4, it is recommended to run the bootstrap script and RPM files with the fix provided.