The Sonicwall advisory advises this is fixed in the Sentinel One agent 22.3, but there is still no sign of this version in my tenant.
Also, that Sonicwall have implemented a workaround in the policy. Do this mean that older S1 agents are mitigated due to the workaround?
As it stands I'm unclear if I'm protected against this Aikido Exploit or not.
Just as an aside, this was privately reported to SentinelOne back in July/August.
It was quietly fixed by other vendors before public release. It looks like SentinelOne have really dropped the ball on this as they've had months to fix. I bet a few execs at Sonicwall are fuming over this.
BWC Cybersecurity Overlord ✭✭✭
@shukerra I'am a SentinelOne Partner and can assure you that they did not communicated it properly. There is a Security Notice available from S1 which is not clear at all, but my that's due to my limited understanding of the english language.
I cannot quote the whole Security Notice but it stated that there is a workaround available for these S1 Agent versions:
- 22.1 SP2 (22.214.171.12425)
- 22.2 EA2 (126.96.36.1994)
- 22.2 GA (188.8.131.522)
- 22.2 SP1 (184.108.40.2068)
22.2.3 is available for Capture Client (at least in my tenant). SNWL stated that they activated the policy override automatically, it's the parameter moveOnNextBootByFileID in the monitorConfig section. Sadly there is IMHO way to see if this setting is applied, the 'sentinelctl.exe configure' does not show it.
If you cannot see 22.2.3 in your tenant you should contact SNWL Support.
BWC Cybersecurity Overlord ✭✭✭
You're right, they are referring to 22.3 EA, but there is no 22.3 at this moment, I checked with S1. My customers confusing version numbers all the time, it might be the case here. Maybe there is an internal beta, but no public EA. S1 says that the fix will be automatically enabled in the upcoming versions, which might be 22.1.6, 22.2.4 or 22.3.x but for now the policy override is necessary for the supported versions which I mentioned above. SNWL got you covered on this.
22.2.3 is in my tenant and we've deployed that. What has confused me is Sonicwall's article refers to agent "22.3"
Aikido Exploit and Its Impact on SonicWall Capture Client | SonicWall
You can see why I was expecting a 22.3 in my tenant. I quote:
SentinelOne released a Security Notice on December 9, 2022, confirming that the vulnerability exploited by Aikido was fixed in their SentinelOne Agent 22.3 for Windows. However, this agent is currently only in Early Availability.
SonicWall has promoted this version as a SonicWall-managed release....
Cool, thanks for the help.
Hopefully this thread is useful for others confused by Sonicwall's advisory!
@BWC - thanks for your responses. You're spot on with what we intended!
@shukerra - apologies for the confusion. The fact is S1 has not made the 22.3 agent as Generally Available and that's why we haven't released it to our console either. We have updated the advisory to make it more clear.
Net net - if you are running 220.127.116.112, the recommended policy override we pushed from our side will protect your endpoints. So the only action any of our customers will have to do, is to ensure agents are upgraded to this version.
To make this easier, we promoted S1 18.104.22.1682 for Windows to a SonicWall-managed release. That triggers an automatic upgrade for any endpoint with a policy that has a SonicWall-managed S1 version. For customers that are using Self-Managed releases, they have to explicitly modify policy settings to upgrade to the desired version.
Hope that helps!