Trend Micro has received reports that DDI is affected by CSRF vulnerabilities. These affect the following console features:
- Deny List Notifications
- Detection Rules
- Threat Detections
- Email Settings
- Network
- Blacklisting/Whitelisting
- Time
- Accounts
- Power Off / Restart
The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are affected:
- 3.8 English
- 3.8 Japanese
- 3.7 English
- 3.7 Japanese
- 3.7 Simplified Chinese
Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1 must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue.
The DDI 3.8 SP2 upgrade can also be downloaded from the Trend Micro Download Center.
Trend Micro would also like to thank John Page (hyp3rlinx.altervista.org) for the responsible disclosure of the issues addressed in this advisory.