HP CIFS Server Administrator Guide Version A.02.04.04 (5070-6710, October 2011)
Restricting Execute Permission on Stacks
A common method of breaking into a system is by maliciously overflowing buffers on a program's
stack, such as passing unusually long command line arguments to a privileged program that does
not expect them. Malicious unprivileged users can use this technique to trick a privileged program
into starting a superuser shell for them, or to perform similar unauthorized actions.
One effective way to reduce the risk from this type of attack is to remove the execute permission
from the program's stack pages. This improves system security without impacting performance and
has no negative effects on the majority of legitimate applications.
The HP CIFS Server does not require execution on the stack. While the HP CIFS Server attempts
to prevent buffer overflow possibilities, you can set the HP-UX kernel tunable parameter,
executable_stack , to disallow stack execution to provide a layer of protection from malicious
attacks. For details, refer to man pages for chatr.
Automatically Receiving HP Security Bulletins
You can subscribe to automatically receive future HP Security Bulletins or other technical digests
from the HP IT Resource Center (ITRC) via electronic mail.
Use the following steps to register for and subscribe to HP Security Bulletins:
1. Use your browser to get to the HP IT Resource Center web site at: http://itrc.hp.com
2. Use your existing login or use the Register button to create a login for gaining access to many
areas of the ITRC. Remember to save your user ID and password.
3. Choose the Support Information Digests option under the Notification section (near the
bottom of page).
4. To subscribe future HP Security Bulletins or other technical digests, click the check box for the
appropriate digest and then click the Update Subcriptions button.
To review bulletins already released, choose the link for the appropriate digest.
You can find your ITRC account security bulletins at:
http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive".
In the archive, the third link is to the current Security Patch Matrix. This matrix categorizes
security patches by the platform/OS release, and by the bulletin topic. The Security Patch
Check tool completely automates the process of reviewing the patch matrix for HP-UX 11i v1
and v2 systems.
The Security Patch Check tool can verify that a security bulletin has been implemented
on HP-UX 11i v1 and v2 systems providing that the fix is completely implemented in a patch
with no manual actions required. The Security Patch Check tool cannot verify fixes
implemented using a product upgrade.
For detailed information on the Security Patch Check tool, refer to the following web
site at:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA
The security patch matrix is also available via the anonymous ftp site at:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
Reporting New Security Vulnerabilities
You can report new security vulnerabilities by sending an email to security-alert@hp.com.
You need to encrypt any exploit information by using the security-alert PGP key, available from
your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes)
to security-alert@hp.com.
Automatically Receiving HP Security Bulletins 135