Local Upgrade Authorization on SentinelOne

A newly disclosed security vulnerability impacts how SentinelOne agents handle local upgrades. This flaw may allow threat actors to bypass the SentinelOne agent entirely under certain conditions. Please refer to the official statement from SentinelOne here. Local Upgrade Authorization applies exclusively to Windows agent deployments.

SentinelOne recommends enabling the “Local Upgrade Authorization” feature in policy settings. This ensures that any local upgrade attempt must be explicitly approved by an administrator, thereby blocking unauthorized changes.

How are we addressing this

• We have rolled out the Local Upgrade Authorization setting across all customer tenants.
  • Now, Administrators need to confirm the upgrade window before performing an S1 Agent upgrade.
• We have also opened SentinelOne console access for all the CMC customers. CMC Administrators can login to SentinelOne by clicking on SentinelOne button on Capture Client Management console.

Configure Local Upgrade/Downgrade Authorization on SentinelOne console for one or more specific Windows Agents

Follow this procedure to allow local upgrades and downgrades of one or more specific Windows Agents. This can be done from any scope. This policy needs to be configured on SentinelOne console:

• Login to your CMC (Capture Client Management Console)
• Click on SentinelOne button to SSO into S1 Console
• Navigate to the scope in S1 console for which you want to configure the policy. Select your scope from the Scope selector.
  
• Confirm that Block Local Windows Agent Upgrades and Downgrades is enabled.
• In the sidebar, click Sentinels. Endpoints opens.
• Select one or more endpoints for which you want to approve a local upgrade/downgrade for a limited timeframe.
• Click Actions|Agent Actions|Confirm Local Upgrade/Downgrade.
• You see the upgrade/downgrade status of the Agent on the endpoint.
  
• Set Let users upgrade and downgrade Agent <endpoint_name> to: 
  • Authorize: Allow an Agent to be upgraded and downgraded locally on the endpoint. You must set an expiration date for the authorization.
  • Inherit from Site: Inherit the settings value from the Site level. You can see if the Authorization is On (Authorized) or Off (Unauthorized) on the Site level. You will see one of these options:
    • Inherit from Site (Authorized): Inherit a Site level authorization status, which is set to Authorized. You cannot set an expiration date for the authorization. The expiration date is inherited from the Site level authorization. If Site level authorization is set to Unauthorized, or the authorization expires, the authorization status of the Agent automatically changes to Inherit from Site (Unauthorized).
    • Inherit from Site (Unauthorized): Inherit a Site level authorization status, which is set to Unauthorized. If Site level authorization is set to Authorized, the authorization status of the Agent automatically changes to Inherit from Site (Authorized).
•  If you selected Authorize, set the number of days (maximum is 21) that the Agent is authorized to be upgraded and downgraded.
• Click Save.

Configure Local Upgrade Authorization Window on SentinelOne console

Alternatively, you can also set a maintenance window for Local Upgrade Authorization. All the request to upgrade locally will be processed during the maintenance window. This maintenance window needs to be configured on SentinelOne console:

• Login to your CMC (Capture Client Management Console) with Admin permissions.
• Click on SentinelOne button at the bottom in sidebar to SSO into S1 Console
  
• Navigate to the scope in S1 console for which you want to configure the policy. Select your scope from the Scope selector.
• In the sidebar, click Sentinels.
• Scroll right to Upgrade Policy tab.
• Navigate to Local Upgrade and toggle the Authorize button
  
• Set expiration date for local upgrade authorization. Maximum window can be set up to 21 days.
  
• Click on Save Changes.