Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2009-3200

Published: Sep 21, 2009 | Modified: Oct 10, 2018
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5.9 MEDIUM
AV:L/AC:M/Au:N/C:C/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2009-3200
CWEhttps://cwe.mitre.org/data/definitions/310.html

The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 create an undocumented recovery key and store it in the ENCK variable in flash memory, which allows local users to bypass the passphrase requirement and decrypt the hard drive by reading this variable, deobfuscating the key, and running a cryptsetup luksOpen command.

Affected Software

Name Vendor Start Version End Version
Ts-239_pro_turbo_nas Qnap 3.1.0_0627 3.1.0_0627
Ts-639_pro_turbo_nas Qnap 2.1.7_0613 2.1.7_0613
Ts-239_pro_turbo_nas Qnap 3.1.1_0815 3.1.1_0815
Ts-639_pro_turbo_nas Qnap 3.1.0_0627 3.1.0_0627
Ts-239_pro_turbo_nas Qnap 2.1.7_0613 2.1.7_0613
Ts-639_pro_turbo_nas Qnap 3.1.1_0815 3.1.1_0815

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use