The industry-wide TLS/SSL renegotiation issue (CVE-2009-3555) has been found in the Pulse Connect Secure (PCS) device. This issue has been reported as a man in the middle (MITM) attack by many news outlets; but, in reality, it is not a true bi-directional MITM attack. This issue allows an attacker to only inject traffic into the initial part of a connection. To exploit this issue, the attacker would need to have layer two access to the network medium (LAN access) at some point between the client and the SSL VPN.
SSL renegotiations come in two forms; the first is client initiated renegotiation and the second is server initiated renegotiation. Support for Client initiated renegotiation has been disabled in PCS OS 6.5R2, 6.4R4.1, 6.3R7 and newer releases, and PPS 3.1R2 and newer releases as well. However, server initiated renegotiation was not removed, as it is required for at least the client certificate authentication.