[Important] [Security] Fixes for vulnerabilities in sudo, rsync, and microcode_ctl (CVE-2025-32462, CVE-2024-12085, and CVE-2024-45332) for Virtuozzo Hybrid Server 7.5¶
Issue date: 2025-07-31
Applies to: Virtuozzo Hybrid Server 7.5
Virtuozzo Advisory ID: VZA-2025-011
1. Overview¶
This update resolves the vulnerabilities in sudo
, rsync
, and microcode_ctl
registered as CVE-2025-32462, CVE-2024-12085, and CVE-2024-45332. Additionally, this update includes a fix for NetKVM drivers that caused some Windows virtual machines to crash.
2. Security Fixes¶
[Important] [
sudo
] A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (-h
or--host
). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (-l
or--list
) to determine what permissions a user has on a different system. However, this restriction can be bypassed, allowing a user to elevate their privileges on one system to the privileges they may have on a different system, effectively ignoring the host identifier in any sudoers rules. This vulnerability is particularly impactful for systems that share a single sudoers configuration file across multiple computers or use network-based user directories, such as LDAP, to provide sudoers rules on a system. (CVE-2025-32462)[Important] [
rsync
] A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. (CVE-2024-12085)[Important] [
microcode_ctl
] Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2024-45332)
3. Recommendations¶
sudo
update considerations: Before updating, ensure you have alternative means of accessing the root account, for example, local or remote console access. Ifsudo
misbehaves and you end up locked out of the root account, use the local root login to downgrade thesudo
package:# yum downgrade sudo
microcode_ctl
update considerations: We recommend testing the microcode included with the newmicrocode_ctl
version in a staging or development environment before updating production nodes. If you encounter technical issues, you can skip microcode loading by setting the kernel parameterdis_ucode_ldr
in the boot loader.
4. Other Fixes¶
Fixed an issue with NetKVM drivers that caused some Windows virtual machines to crash with the BSOD 0x139 code. (PSBM-160052)
5. Installing the Update¶
Install the update with yum update
.