Affected devices:
=================

Probably all QNAP devices running the QNAP modified 3.12.6 kernel with
firmware older than 4.1.4 Build 0804.

Verified on TS-453S Pro and TVS-471, both with Firmware 4.1.4 Build
0522.

Probably fixed with Firmware 4.1.4 Build 0804 (incriminating message
gone, though there is no notice by QNAP that this security problem did
ever exist or that is was fixed, no kernel source available for
verification).


Severity:
=========

Total compromise of disk access keys of encrypted volumes.

Just offline-copy the disks to gain instant full access to all
encrypted data.


Details:
========

QNAP is using modified linux kernels. The 3.12.6 kernel includes the
following modification in GPL_TS/src/linux-3.12.6/drivers/md/dm-table.c
function dm_table_add_target line 752 (from GPL_TS-20150505
-4.1.3.tar.gz, downloads via http://sourceforge.net/projects/qosgpl/):

#ifdef CONFIG_MACH_QNAPTS
        printk(KERN_ALERT "dm_table_add_target start %s, start=%lu,
len=%lu, param=%s, type=%lu...\n", type, start, len, params, tgt
->type);
#endif

Now, if an encrypted device is unlocked, the following happens:
The GUI password is transformed to a LUKS password using a transform
similar to: mkpasswd --hash=MD5 --salt=YCCaQNAP

Then cryptsetup is called to decrypt the disk access key with the
password generated above and then to establish a dm-crypt target with
the disk access key. This leads to dm_table_add_target() being called
for the dm-crypt target. And the disk access key is then logged to the
kernel message ringbuffer.

Examples (actual keys obfuscated by X sequence):

[   41.026684] dm_table_add_target start crypt, start=0,
len=3900772344, param=aes-cbc-plain
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0 
/dev/md0 2056, type=18446744071589635488...

[139023.266397] dm_table_add_target start crypt, start=0,
len=9083850752, param=aes-cbc-plain 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0 
/dev/mapper/cachedev1 4096, type=18446744071588529984...

This information is enough just to call dmsetup from a shell to gain
instant access to the encrypted volume. No knowledge of the user
supplied key is required. Changes of the user supplied key don't matter
as the disk access key stays the same.

To make this even worse QNAP devices log the kernel messages to an
unencrypted hard disk partition and rotate them there. Just look for
the location in /etc/init.d/klogd.sh - the on disk location is actually
a raid 1 device which uses (at least for 4 bay devices) all configured
disks. These log files as well as the kernel ring buffer are world
accessible.

And even when the log files are "deleted" due to rotation there is a
high probability to find the disk access key(s) with a standard
forensics tool.


Conclusion:
===========

To easily access all encrypted data of a QNAP storage device running
the affected kernel one just needs an offline copy of the QNAP disks.
One could think of a variety of online attacks, too.

Every QNAP device running or having run the affected kernel should be
assumed to be fully compromised with regard to encrypted volume keys.

Disks of affected devices should be considered not being encrypted when
being disposed of and thus additional security measures may have to be
taken.

After installing a corrected firmware there are probably only two ways
of regaining confidentiality, both of which require a prior backup of
all encrypted data:

1. Use cryptsetup-reencrypt for a new disk access key from a shell.
   You will have to bring your own version including all required
   libraries as this utility is not included by QNAP.

2. Delete all encrypted volumes from the GUI and the recreate them.
   This implies to recreate all additional configuration as required.


Timeline:
=========

2015/07/12 vendor notified
2015/07/13 receipt of notification acknowledged by vendor
2015/07/24 vendor contacted again

No further information from vendor since last contact attempt.
-- 
Andreas Steinmetz                       SPAMmers use robotrap@domdv.de