[Important] [Security] Fixes for vulnerabilities in sudo, rsync, and microcode_ctl (CVE-2025-32462, CVE-2024-12085, and CVE-2024-45332) for Virtuozzo Hybrid Server 7.5

Issue date: 2025-07-31

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2025-011

1. Overview

This update resolves the vulnerabilities in sudo, rsync, and microcode_ctl registered as CVE-2025-32462, CVE-2024-12085, and CVE-2024-45332. Additionally, this update includes a fix for NetKVM drivers that caused some Windows virtual machines to crash.

2. Security Fixes

  • [Important] [sudo] A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (-h or --host). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (-l or --list) to determine what permissions a user has on a different system. However, this restriction can be bypassed, allowing a user to elevate their privileges on one system to the privileges they may have on a different system, effectively ignoring the host identifier in any sudoers rules. This vulnerability is particularly impactful for systems that share a single sudoers configuration file across multiple computers or use network-based user directories, such as LDAP, to provide sudoers rules on a system. (CVE-2025-32462)

  • [Important] [rsync] A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. (CVE-2024-12085)

  • [Important] [microcode_ctl] Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2024-45332)

3. Recommendations

  • sudo update considerations: Before updating, ensure you have alternative means of accessing the root account, for example, local or remote console access. If sudo misbehaves and you end up locked out of the root account, use the local root login to downgrade the sudo package:

    # yum downgrade sudo
    
  • microcode_ctl update considerations: We recommend testing the microcode included with the new microcode_ctl version in a staging or development environment before updating production nodes. If you encounter technical issues, you can skip microcode loading by setting the kernel parameter dis_ucode_ldr in the boot loader.

4. Other Fixes

  • Fixed an issue with NetKVM drivers that caused some Windows virtual machines to crash with the BSOD 0x139 code. (PSBM-160052)

5. Installing the Update

Install the update with yum update.

6. References

The updated packages for Virtuozzo Hybrid Server 7.5 are listed in the JSON file.

The updated packages for VzLinux 7 are provided in the JSON file.