CVE-2009-3200
QNAP TS-239 Pro and TS-639 Pro - Local Passphrase Bypass via Undocumented Recovery Key
Title source: llmDescription
The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 create an undocumented recovery key and store it in the ENCK variable in flash memory, which allows local users to bypass the passphrase requirement and decrypt the hard drive by reading this variable, deobfuscating the key, and running a cryptsetup luksOpen command.
References (8)
Core 8
Core References
Exploit x_refsource_misc
http://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36793
Various Sources x_refsource_misc
http://forum.qnap.com/viewtopic.php?f=12&t=12104&start=10#p63341
Various Sources x_refsource_misc
http://forum.qnap.com/viewtopic.php?f=11&t=11214&start=20#p63346
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53391
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/506607/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/36467
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1022916
Scores
EPSS
0.0007
EPSS Percentile
20.4%
Details
CWE
CWE-310
Status
published
Products (6)
qnap/ts-239_pro_turbo_nas
2.1.7_0613
qnap/ts-239_pro_turbo_nas
3.1.0_0627
qnap/ts-239_pro_turbo_nas
3.1.1_0815
qnap/ts-639_pro_turbo_nas
2.1.7_0613
qnap/ts-639_pro_turbo_nas
3.1.0_0627
qnap/ts-639_pro_turbo_nas
3.1.1_0815
Published
Sep 21, 2009
Tracked Since
Feb 18, 2026