COMMAND

    mountd

SYSTEMS AFFECTED

    Digital Ultrix and OSF/1 (Digital Unix)

PROBLEM

    The following security  hole was reported  to Digital and  CERT in
    March 1994. It is still  present in the latest version  of Digital
    Unix being distributed (3.2).  As  far as I know it is  present in
    all Unix  variants produced  by Digital  for VAX,  Mips and  Alpha
    platforms.

    Digital have  added a  pair of  flags to  the "mountd" program (-d
    and -s) which are intended to block mounts from outside the  local
    domain.  If you use this feature, then the first attempt to  mount
    from outside  is correctly  rejected.   But if  you send  the same
    request  again  straight  away,  it  will  usually  be   accepted.
    Specifically, you must repeat  the request before mountd  receives
    a request from some other host.

    The problem is that the  daemon is intending to cache  the success
    of the last  request.  Unfortunately  the code Digital  have added
    is in the wrong place, and the request is cached even if it  fails
    the new test.

SOLUTION

    The bug does  not affect systems  which use explicit  export lists
    rather than relying on -d or -s.

    The problem  can be  fixed with  a one  instruction patch. We have
    worked out patches for OSF/1 versions 1.3 and 3.2.

    For 1.3, the instruction to change is:

        1147c1147
        <   0x120003e28:        c3e000b6        br      zero, 0x120004104
        ---
        >   0x120003e28:        47ff041f        bis     zero, zero, zero

    For 3.2, the instruction to change is:

        1395c1395
        <   0x120004928:        c3e00092        br      zero, 0x120004b74
        ---
        >   0x120004928:        47ff041f        bis     zero, zero, zero

    (These are diffs on the output of "dis", the disassembler).