CVE-2025-8904: Amazon EMR Privilege Escalation Flaw

CVE-2025-8904 Overview

CVE-2025-8904 affects the Amazon EMR Secret Agent, which writes a Kerberos keytab file to the world-accessible /tmp/ directory. A local user with access to that directory and another account on the host can read the keytab, decrypt the stored keys, and assume the Kerberos identities tied to those credentials. This leads to privilege escalation on EMR clusters that rely on Kerberos for authentication to Hadoop, Hive, HBase, and related services. The weakness is tracked under [CWE-257: Storing Passwords in a Recoverable Format]. Amazon has remediated the issue in Amazon EMR 7.5 and provides a bootstrap script and RPM fix for releases 6.10 through 7.4.

Critical Impact

An authenticated local user can recover Kerberos credentials from /tmp/ and escalate privileges across EMR cluster services.

Affected Products

• Amazon EMR releases 6.10 through 7.4 (Secret Agent component)
• Amazon EMR clusters configured with Kerberos authentication
• Amazon EMR versions prior to 7.5

Discovery Timeline

• 2025-08-13 - CVE CVE-2025-8904 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-8904

Vulnerability Analysis

The Amazon EMR Secret Agent is the component that distributes secrets, including Kerberos keytabs, to services running on EMR cluster nodes. During provisioning, the agent writes a keytab file containing Kerberos credentials to the /tmp/ directory. The /tmp/ path is shared, world-traversable, and accessible to every local account on the node.

Keytab files hold long-term Kerberos keys for service or user principals. Any process that can read the keytab can extract the keys and request Ticket Granting Tickets (TGTs) as those principals without a password prompt. Because EMR clusters frequently run Hadoop, Hive, HBase, Presto, and Spark services under privileged Kerberos identities, recovering a single keytab can yield broad access to cluster data and management interfaces.

Root Cause

The root cause is insecure storage of authentication material. Sensitive credentials should reside under a directory with restrictive permissions, such as /etc/security/keytabs/ with mode 0400 and ownership limited to the consuming service account. Placing the keytab in /tmp/ violates the principle of least privilege and exposes recoverable credentials to every local user on the host.

Attack Vector

Exploitation requires local access to an EMR node and an additional account on the host. The attacker enumerates /tmp/ for keytab artifacts, copies the file, and uses standard Kerberos tooling such as klist -k and kinit -kt to load the keys and request tickets. With valid tickets, the attacker authenticates to Kerberized services and operates with the privileges of the compromised principal.

The vulnerability does not require a remote exploit chain on its own. It compounds any prior local foothold, turning low-privilege code execution into broad cluster compromise. See the AWS Security Bulletin AWS-2025-017 for vendor technical details.

Detection Methods for CVE-2025-8904

Indicators of Compromise

• Presence of keytab files (.keytab extension or files containing the KRB5 magic bytes) under /tmp/ on EMR nodes
• Read access to /tmp/ keytab files by accounts other than the EMR Secret Agent owner
• Unexpected kinit -kt or klist -k invocations referencing files in /tmp/

Detection Strategies

• Scan EMR cluster nodes for keytab artifacts in /tmp/ and alert on any matches
• Enable Linux audit rules on /tmp/ to log open() and read() syscalls against keytab files
• Correlate Kerberos KDC logs for service tickets issued to principals that should only authenticate from controlled service accounts

Monitoring Recommendations

• Forward auditd, EMR Secret Agent, and KDC logs to a centralized SIEM for retention and correlation
• Alert on anomalous TGT requests originating from EMR worker nodes outside expected service startup windows
• Track filesystem changes in /tmp/ with file integrity monitoring tooling

How to Mitigate CVE-2025-8904

Immediate Actions Required

• Upgrade EMR clusters to Amazon EMR 7.5 or higher, which addresses the keytab storage location
• For clusters running EMR 6.10 through 7.4, apply the AWS-provided bootstrap script and RPM files referenced in the security bulletin
• Rotate any Kerberos principals whose keytabs may have been exposed in /tmp/ prior to remediation
• Audit /tmp/ on existing nodes and remove residual keytab files after rotation

Patch Information

Amazon EMR 7.5 contains the fix. Refer to the AWS EMR 7.5.0 Release Notes for upgrade details and the GitHub Security Advisory GHSA-hf8h-76fm-735v for the coordinated disclosure record. For EMR 6.10 to 7.4, AWS publishes a bootstrap script and patched RPMs in the AWS Security Bulletin AWS-2025-017.

Workarounds

• Restrict interactive and SSH access to EMR cluster nodes to reduce the population of local accounts that could read /tmp/
• Apply restrictive umask settings and mount /tmp/ with noexec and per-user namespaces where supported
• Run the AWS-provided bootstrap script at cluster launch to relocate the keytab and tighten file permissions on releases that cannot be upgraded immediately

# Configuration example: rotate exposed Kerberos principals after patching
kadmin -q "change_password -randkey emr-service/host.example.com@REALM"
kadmin -q "ktadd -k /etc/security/keytabs/emr-service.keytab emr-service/host.example.com@REALM"
chown emrsecretagent:emrsecretagent /etc/security/keytabs/emr-service.keytab
chmod 0400 /etc/security/keytabs/emr-service.keytab
find /tmp -maxdepth 2 -name '*.keytab' -print -delete