-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2017-011 Product: Office 365 (Sharepoint) Manufacturer: Microsoft Affected Version(s): ? Tested Version(s): Office 365 Enterprise E3 (version from February 2017) Vulnerability Type: Insufficient Session Expiration (CWE-613) Risk Level: Low Solution Status: Open Manufacturer Notification: 2017-03-01 Solution Date: Public Disclosure: 2017-07-04 CVE Reference: Not yet assigned Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Microsoft Office 365 Enterprise E3 is a software-as-a-service (SaaS) product that provides access to different Microsoft productivity software (see [1]). Due to an error in the session management, it is possible to still use Sharepoint after the user logged out via the provided logout function. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the application is not properly invalidating the used session cookies rtFa and FedAuth when the provided logout function is used. If an attacker can gain access to these two session cookies of an authenticated user, he can still use Sharepoint in Office 365, even if the user logged out via the logout function, the user was disabled in the Azure AD and the license to use Office 365 was revoked for this user, too. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The described security issue concerning the session management of Microsoft Office 365 Enterprise E3 could be successfully demonstrated via an interception proxy like Burp Suite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The SySS GmbH found out, that deletion of the user within Azure AD make it impossible for the user to use Office 365 anymore. However, this is a work around and not a rock solid solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-02-20: Detection of the vulnerability 2017-03-01: Vulnerability reported to manufacturer 2017-03-02: A ticket number for the reported case was assigned by Microsoft 2017-03-15: Microsoft informed the SySS Gmbh that the investigation of the issue is in process; they asked for additional information about the described vulnerability 2017-03-16: SySS GmbH sent more details about the detection of the vulnerability to Microsoft 2017-03-29: Microsoft ask the SySS GmbH to confirm the vulnerability and "We request you to not publish any details until we confirm the resolution of this case." (last response from Microsoft) 2017-03-31: The environment wich was used during detecting the issue was not available anymore for the SySS GmbH; the administrator if it informed the SySS GmbH, that a new function "enforce logout of all users" are existing now; SySS GmbH informs Microsoft about this fact 2017-05-08: SySS GmbH asks Microsoft about the status of the reported issue 2017-06-12: SySS GmbH asks Microsoft about the status of the reported issue, if there will be no response, the issue will be released after June 23, 2017 2017-07-04: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web site for Microsoft Office 365 Enterprise E3 https://products.office.com/en-us/business/office-365-enterprise-e3-business-software [2] SySS Security Advisory SYSS-2017-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-011.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAllfU+4ACgkQ7b4m5xTq WHZM+A//R+Bb5Y9d6m8XSVz6XZbd0usF2tskJAv4S+KIgwsAFtkgnA+xBOgHIlpx KIy7kJDG5EnlB97fC3uYKAIrSFCFrG/rpe3vOVNtSpWC+sjN6tSmXff3gsLg+8uH niK3Mm8qhH/dvAmvfo6l9GEBSrgQ3+1oO9ZHxZbtEHZ5avV0uwuXIlGwUFnfhO27 0AGzkcsPNji4DNKnuEhc6YiuO+ydX2V8D6Rhc8A0ToInfjCpDJGfHvPcq4tzCjj1 L9eVY2f93Ijmh5i9fRydVO/v+8Uj4jCJtM4Kg1MnPPsi9Q+wE9Y2UkI21isII/sM cNNQhyBloE3nK9TlhgCr2gNGFHlp5G/Wjvd3C8xFGW/UUxzz2QMiZ98e5F95HC+x Zf5ZWBaP8ofa5o+HZTLibjZ8SowqcBcdQPHsS3d9viQ9fiDEOJpZtv68d1DB8Uen Pm/Gvr8O7Cqe9V/f3JhjV1KdLU2VnKKnb8vg1bvMimH316IgwzoLNJ9yqealFsLp 5ILOoU+abKwqcM1chTV/Q48RkRdFVZjyojq4aNK1OVorqEA6EamvPeaGwhngvIyh e6Gmm8prd/b1Wu/oTTzMe2twPDMs/BsVOq0tkQ63IQ82wGTBjCdKakD3RzPfmp72 PL1OlAU37hsuvV4O5r4ShNsT9/W8t5WzlH+pYQj3ZSoGV5KgetM= =hwfs -----END PGP SIGNATURE-----