EUVD-2025-19013
GHSA-65gg-3w2w-hr4h
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
AnalysisAI
CVE-2025-6032 is a TLS certificate validation bypass in Podman's machine init command that fails to verify certificates when downloading VM images from OCI registries, enabling Man-in-the-Middle (MITM) attacks. This affects users running Podman machine initialization on networked systems where attackers can intercept traffic. While the CVSS score of 8.3 indicates high severity with potential for confidentiality, integrity, and availability impact, real-world exploitation requires specific network positioning (AC:H - high attack complexity) and user interaction (UI:R), suggesting moderate practical risk despite the high base score.
Technical ContextAI
Podman machine init uses OCI registry pull mechanics to download pre-built VM images for machine provisioning. The vulnerability exists in the TLS/HTTPS implementation during image download—specifically, the code fails to implement proper certificate chain validation as defined in CWE-295 (Improper Certificate Validation). This is a classic cryptographic failure where the application establishes an encrypted channel without authenticating the remote endpoint's identity. The affected technology involves OCI Distribution Spec compliance, containerd image services, and Go's crypto/tls package. When a user runs podman machine init, the system should validate that the OCI registry's certificate matches expected trust anchors; instead, it accepts any certificate or potentially skips validation entirely. This allows an attacker positioned on the network path (AV:N) to serve malicious VM images while the client trusts the connection as legitimate.
RemediationAI
Patch: Update Podman to a version that implements proper TLS certificate validation in the machine init code path. Users should consult Red Hat Security Advisories (RHSA) and podman.io for the specific patched release. Workarounds pending patch availability: (1) Perform podman machine init only on networks you trust (corporate VPN, home network with TLS inspection disabled); (2) Pre-stage VM images locally and configure Podman to use local OCI registries rather than remote pulls; (3) Use network segmentation or firewall rules to restrict outbound registry connections; (4) Implement TLS inspection appliances or proxies on your network boundary to detect certificate anomalies. Mitigations: Monitor for unexpected VM image downloads in Podman logs; verify image checksums post-download if vendor provides them; consider using Podman's --image flag to pin known-good images rather than using defaults from remote registries.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108473| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bookworm | not-affected | - | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | fixed | 5.4.2+ds1-2 | - |
| forky, sid | fixed | 5.7.0+ds2-3 | - |
| (unstable) | fixed | 5.4.2+ds1-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today