Object serialization has always been a tricky subject. Using serialization as a design pattern can always lead to catastrophic consequences such as remote code execution when user input isn't properly validated.
In the past week we've witnessed several more PHP serialization vulnerabilities (CVE-2017-12932, CVE-2017-12933, CVE-2017-12934), which are not covered by our existing signatures. By inspecting proof-of-concept code related to these vulnerabilities, techniques targeting additional attack surfaces are becoming apparent:
Not only PHP serialized object presents a threat, but a PHP serialized array as well.
A malformed serialized object presents a threat.
The malformed data leads PHP into unexpected behavior such as "heap use after free" and "buffer over-read". As of now, there is no public exploit that demonstrates direct connection to remote code execution using this technique.
Mitigation Using ASM
An Attack Signature Update containing signatures designed to mitigate these vulnerabilities has already been released. The relevant signatures are: