Vulnerabilities > CVE-2009-2367 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Iomega Storcenter PRO Firmware

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
iomega
CWE-338
critical
metasploit

Summary

cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the session_id parameter.

Vulnerable Configurations

Part Description Count
OS
Iomega
1
Hardware
Iomega
1

Metasploit

descriptionThe Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access.
idMSF:AUXILIARY/ADMIN/HTTP/IOMEGA_STORCENTERPRO_SESSIONID
last seen2020-03-01
modified2017-11-08
published2009-07-01
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb
titleIomega StorCenter Pro NAS Web Authentication Bypass