Microsoft Office 365 Enterprise E3 Insufficient Session Expiration

Microsoft Office 365 Enterprise E3 suffers from an insufficient session expiration vulnerability.

MD5 | b66194af3c4ecfb1756126159b020eb3

Hash: SHA256

Advisory ID: SYSS-2017-011
Product: Office 365 (Sharepoint)
Manufacturer: Microsoft
Affected Version(s): ?
Tested Version(s): Office 365 Enterprise E3 (version from February 2017)
Vulnerability Type: Insufficient Session Expiration (CWE-613)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2017-03-01
Solution Date:
Public Disclosure: 2017-07-04
CVE Reference: Not yet assigned
Authors of Advisory: Micha Borrmann (SySS GmbH)



Microsoft Office 365 Enterprise E3 is a software-as-a-service (SaaS)
product that provides access to different Microsoft productivity
software (see [1]).

Due to an error in the session management, it is possible to still use
Sharepoint after the user logged out via the provided logout function.


Vulnerability Details:

SySS GmbH found out that the application is not properly invalidating
the used session cookies rtFa and FedAuth when the provided logout
function is used.

If an attacker can gain access to these two session cookies of an
authenticated user, he can still use Sharepoint in Office 365, even if
the user logged out via the logout function, the user was disabled in
the Azure AD and the license to use Office 365 was revoked for this
user, too.


Proof of Concept (PoC):

The described security issue concerning the session management of
Microsoft Office 365 Enterprise E3 could be successfully demonstrated
via an interception proxy like Burp Suite.



The SySS GmbH found out, that deletion of the user within Azure AD
make it impossible for the user to use Office 365 anymore.
However, this is a work around and not a rock solid solution.


Disclosure Timeline:

2017-02-20: Detection of the vulnerability
2017-03-01: Vulnerability reported to manufacturer
2017-03-02: A ticket number for the reported case was assigned by Microsoft
2017-03-15: Microsoft informed the SySS Gmbh that the investigation of the issue is in process;
they asked for additional information about the described vulnerability
2017-03-16: SySS GmbH sent more details about the detection of the vulnerability to Microsoft
2017-03-29: Microsoft ask the SySS GmbH to confirm the vulnerability and "We request you to not
publish any details until we confirm the resolution of this case." (last response from Microsoft)
2017-03-31: The environment wich was used during detecting the issue was not available anymore
for the SySS GmbH; the administrator if it informed the SySS GmbH, that a new function
"enforce logout of all users" are existing now; SySS GmbH informs Microsoft about this fact
2017-05-08: SySS GmbH asks Microsoft about the status of the reported issue
2017-06-12: SySS GmbH asks Microsoft about the status of the reported issue, if there will be no response,
the issue will be released after June 23, 2017
2017-07-04: Public release of the security advisory


[1] Product web site for Microsoft Office 365 Enterprise E3
[2] SySS Security Advisory SYSS-2017-011
[3] SySS Responsible Disclosure Policy



This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at)
Public Key:
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0



Related Posts