OVERVIEW
On December 7, 2022, a SafeBreach security researcher disclosed a vulnerability dubbed “ Aikido ,” with subsequent proof-of-concept (POC) exploit code that can potentially turn EDR agents running on Microsoft Windows endpoints into malicious data wipers.
The exploit has been confirmed to work with six vulnerable EDR products, including the SentinelOne Agent for Microsoft Windows. SonicWall Capture Client leverages the SentinelOne Agent to deliver advanced endpoint protection.
The SonicWall Product Security & Incident Response Team (PSIRT) is not aware of active exploitation in the wild. While reports of a proof of concept have been made public by the SafeBreach researcher, malicious use of this vulnerability has not been reported to SonicWall.
AFFECTED PRODUCTS
The Aikido exploit affects SonicWall Capture Client users with SentinelOne Agent for Windows on all versions older than 22.3.
WORKAROUND
SentinelOne has released a policy override that can be enabled on affected endpoints running versions 22.1.5.11025, 22.2.3.402 or 22.2.4.558 to fix the vulnerability. SonicWall has applied this policy override to all affected endpoints running SonicWall Capture Client.
SOLUTION
SentinelOne released a Security Notice on December 9, 2022, confirming that the vulnerability exploited by Aikido was fixed in their SentinelOne Agent 22.3 for Windows. However, this agent is currently only in Early Availability.
SonicWall has promoted this version as a SonicWall-managed release, which will trigger an automatic update for all endpoints configured with a SonicWall-managed release as part of the Client policy .
Customers managing endpoints with a Self-Managed release older than SentinelOne Agent 22.2.3.402 for Windows are recommended to upgrade to the latest SonicWall-managed release for the SentinelOne Agent for Windows.
