When They Said Kill All Active And Persistent Sessions They Weren’t Kidding
Yes, there is always that user or app that works on critical applications that has no clue what their password is because they depend on persistent Citrix sessions. Sure, they can kick up a storm when forced to either find the Post-It they wrote the password on or have to go through the official password reset process, but that pain is nothing compared to the damage an attacker with valid credentials to your network can inflict. The patches are only the first step, you need to ensure new tokens are created after the patch else those old tokens could still be used to gain access to your systems.
It has been over 20 day since the notification and patch were released, yet one security researcher found over 5000 unpatched machines. The worse news is the detection of around 20,000 exploited servers, which may or may not have patched but definitely didn’t clear their sessions. As there are well over 100 IP addresses actively searching for vulnerable servers, this attack is still very much underway. Be careful out there!
The vulnerability allows attackers to access a device's memory, and in that RAM find session tokens that miscreants can then extract and use to impersonate an authenticated user. Thus even if the hole is patched, copied tokens will remain valid unless further steps are taken.