Vulnerabilities > CVE-2009-2367 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Iomega Storcenter PRO Firmware
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the session_id parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Metasploit
| description | The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs, allowing for simple brute force attacks to bypass authentication and gain administrative access. |
| id | MSF:AUXILIARY/ADMIN/HTTP/IOMEGA_STORCENTERPRO_SESSIONID |
| last seen | 2020-03-01 |
| modified | 2017-11-08 |
| published | 2009-07-01 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb |
| title | Iomega StorCenter Pro NAS Web Authentication Bypass |