CVE-2009-2367
published 2009-07-08CVE-2009-2367: cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.20%
97.5th percentile
cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the session_id parameter.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for rapid sequential or incremental requests to cgi-bin/makecgi-pro with varying session_id parameter values, indicative of brute-force session ID enumeration. ↗
- →Alert on high-volume requests targeting the session_id parameter of cgi-bin/makecgi-pro from a single source IP, as the session IDs are predictable/sequential and susceptible to enumeration. ↗
- ·Session IDs are incremented sequentially rather than generated randomly, making brute-force trivial. Any deployment of Iomega StorCenter Pro NAS with the web interface exposed should be treated as unauthenticated-accessible. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
CWE
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
mitre_cwe
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.
Modes of Introduction:
Phase: Arc
CWE
Use of Insufficiently Random Values
mitre_cwe
CWE-330 Use of Insufficiently Random Values
CWE-330: Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Background: Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult
http://osvdb.org/55586http://secunia.com/advisories/35666http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb?rev=6733https://exchange.xforce.ibmcloud.com/vulnerabilities/51539http://osvdb.org/55586http://secunia.com/advisories/35666http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb?rev=6733https://exchange.xforce.ibmcloud.com/vulnerabilities/51539
2009-07-08
Published