The following security hole was reported to Digital and CERT in March 1994. It is still present in the latest version of Digital Unix being distributed (3.2). As far as I know it is present in all Unix variants produced by Digital for VAX, Mips and Alpha platforms. Digital have added a pair of flags to the "mountd" program (-d and -s) which are intended to block mounts from outside the local domain. If you use this feature, then the first attempt to mount from outside is correctly rejected. But if you send the same request again straight away, it will usually be accepted. Specifically, you must repeat the request before mountd receives a request from some other host. The problem is that the daemon is intending to cache the success of the last request. Unfortunately the code Digital have added is in the wrong place, and the request is cached even if it fails the new test. The bug does not affect systems which use explicit export lists rather than relying on -d or -s. The problem can be fixed with a one instruction patch. We have worked out patches for OSF/1 versions 1.3 and 3.2. For 1.3, the instruction to change is: 1147c1147 < 0x120003e28: c3e000b6 br zero, 0x120004104 --- > 0x120003e28: 47ff041f bis zero, zero, zero For 3.2, the instruction to change is: 1395c1395 < 0x120004928: c3e00092 br zero, 0x120004b74 --- > 0x120004928: 47ff041f bis zero, zero, zero (These are diffs on the output of "dis", the disassembler). Martyn Johnson maj@cl.cam.ac.uk University of Cambridge Computer Lab Cambridge UK