-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2017-011
Product: Office 365 (Sharepoint)
Manufacturer: Microsoft
Affected Version(s): ?
Tested Version(s): Office 365 Enterprise E3 (version from February 2017)
Vulnerability Type: Insufficient Session Expiration (CWE-613)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2017-03-01
Solution Date:
Public Disclosure: 2017-07-04
CVE Reference: Not yet assigned
Authors of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Office 365 Enterprise E3 is a software-as-a-service (SaaS)
product that provides access to different Microsoft productivity
software (see [1]).

Due to an error in the session management, it is possible to still use
Sharepoint after the user logged out via the provided logout function.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the application is not properly invalidating
the used session cookies rtFa and FedAuth when the provided logout
function is used.

If an attacker can gain access to these two session cookies of an
authenticated user, he can still use Sharepoint in Office 365, even if
the user logged out via the logout function, the user was disabled in
the Azure AD and the license to use Office 365 was revoked for this
user, too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The described security issue concerning the session management of
Microsoft Office 365 Enterprise E3 could be successfully demonstrated
via an interception proxy like Burp Suite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The SySS GmbH found out, that deletion of the user within Azure AD
make it impossible for the user to use Office 365 anymore.
However, this is a work around and not a rock solid solution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-02-20: Detection of the vulnerability
2017-03-01: Vulnerability reported to manufacturer
2017-03-02: A ticket number for the reported case was assigned by Microsoft
2017-03-15: Microsoft informed the SySS Gmbh that the investigation of the issue is in process;
            they asked for additional information about the described vulnerability
2017-03-16: SySS GmbH sent more details about the detection of the vulnerability to Microsoft
2017-03-29: Microsoft ask the SySS GmbH to confirm the vulnerability and "We request you to not
            publish any details until we confirm the resolution of this case." (last response from Microsoft)
2017-03-31: The environment wich was used during detecting the issue was not available anymore
            for the SySS GmbH; the administrator if it informed the SySS GmbH, that a new function
      "enforce logout of all users" are existing now; SySS GmbH informs Microsoft about this fact
2017-05-08: SySS GmbH asks Microsoft about the status of the reported issue
2017-06-12: SySS GmbH asks Microsoft about the status of the reported issue, if there will be no response,
            the issue will be released after June 23, 2017
2017-07-04: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web site for Microsoft Office 365 Enterprise E3
    https://products.office.com/en-us/business/office-365-enterprise-e3-business-software
[2] SySS Security Advisory SYSS-2017-011
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-011.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAllfU+4ACgkQ7b4m5xTq
WHZM+A//R+Bb5Y9d6m8XSVz6XZbd0usF2tskJAv4S+KIgwsAFtkgnA+xBOgHIlpx
KIy7kJDG5EnlB97fC3uYKAIrSFCFrG/rpe3vOVNtSpWC+sjN6tSmXff3gsLg+8uH
niK3Mm8qhH/dvAmvfo6l9GEBSrgQ3+1oO9ZHxZbtEHZ5avV0uwuXIlGwUFnfhO27
0AGzkcsPNji4DNKnuEhc6YiuO+ydX2V8D6Rhc8A0ToInfjCpDJGfHvPcq4tzCjj1
L9eVY2f93Ijmh5i9fRydVO/v+8Uj4jCJtM4Kg1MnPPsi9Q+wE9Y2UkI21isII/sM
cNNQhyBloE3nK9TlhgCr2gNGFHlp5G/Wjvd3C8xFGW/UUxzz2QMiZ98e5F95HC+x
Zf5ZWBaP8ofa5o+HZTLibjZ8SowqcBcdQPHsS3d9viQ9fiDEOJpZtv68d1DB8Uen
Pm/Gvr8O7Cqe9V/f3JhjV1KdLU2VnKKnb8vg1bvMimH316IgwzoLNJ9yqealFsLp
5ILOoU+abKwqcM1chTV/Q48RkRdFVZjyojq4aNK1OVorqEA6EamvPeaGwhngvIyh
e6Gmm8prd/b1Wu/oTTzMe2twPDMs/BsVOq0tkQ63IQ82wGTBjCdKakD3RzPfmp72
PL1OlAU37hsuvV4O5r4ShNsT9/W8t5WzlH+pYQj3ZSoGV5KgetM=
=hwfs
-----END PGP SIGNATURE-----