We have recently completed an upgrade to our Pulse Secure Managed VPN appliance to address CVE-2019-11510.
While we had previously performed upgrades that mitigated some of the vulnerabilities contained in this release, new information made available this week has confirmed that further work was required.
The vulnerability has received a critical CVS score. It is likely that the vulnerability has been exploited to access the passwords of users that have authenticated through our platform, and to access keys that are used to authenticate to external servers.
While we have evidence that the tokens have been accessed and retrieved, we have reviewed our access logs and can see no evidence that the compromised credentials have been used. As a precaution, we have taken the step of resetting the service account passwords for each managed tenancy following the upgrade.
We are aware that this security fix results in a loss of functionality for some SAML authenticated users when connecting to the VPN client. We are continuing to seek a work around to address these issues, but at this stage there is no alternate workaround for users who experience difficulty connecting using this authentication method.
We are recommending that users should reset their passwords they use to sign in to their VPN as a matter of best practice caution. We have contacted all affected users directly.