Back to search
CVE-2009-3200
Published: Sep 21, 2009
Modified: Aug 7, 2024
PUBLISHED
Description
The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 create an undocumented recovery key and store it in the ENCK variable in flash memory, which allows local users to bypass the passphrase requirement and decrypt the hard drive by reading this variable, deobfuscating the key, and running a cryptsetup luksOpen command.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
36793
third-party-advisory
x_refsource_SECUNIA
http://forum.qnap.com/viewtopic.php?f=12&t=12104&start=10#p63341
x_refsource_MISC
http://forum.qnap.com/viewtopic.php?f=11&t=11214&start=20#p63346
x_refsource_MISC
qnap-backupkey-weak-security(53391)
vdb-entry
x_refsource_XF
20090918 Advisory: Crypto backdoor in Qnap storage devices (CVE-2009-3200)
mailing-list
x_refsource_BUGTRAQ
36467
vdb-entry
x_refsource_BID
1022916
vdb-entry
x_refsource_SECTRACK
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now