The Dark Souls RCE Exploit was Years in the Making
Reports claiming that a Dark Souls 3 vulnerability made PC players vulnerable to remote code execution threats (RCE), a security flaw that allows cyber attackers to run any command on a target PC, surfaced. Publisher Bandai Namco shut down Dark Souls: Prepare To Die Edition, Dark Souls 2 and 3 PVP servers. Bandai Namco did not provide any further information on its investigation. This left players confused and unsure about the current state of online modes and a lack of clarity regarding the cause of the downtime.
Fanbyte spoke to LukeYui, the Dark Souls security mode Blue Sentinel creator. NRSR, credited with discovering the vulnerability, said they have reached out to Bandai Namco multiple times to report the Dark Souls vulnerabilities. Past attempts to communicate with Bandai Namco and relay exploits to developer FromSoftware — including the disclosure back in 2020 of another RCE vulnerability — were reported to have been difficult. Players looking forward to Elden Ring’s February launch should be concerned about the possibility of severe vulnerabilities in the Souls Franchise.
The Dark Souls 3 RCE security currently in the news is more excellent (who uses the privacy moniker to identify themselves) reported back in December 2021. Bandai Namco received documentation and video demonstrations on how the RCE works. Bandai Namco stated in its support correspondence that it had passed the documentation on to the security teams working on Dark Souls. However, FromSoftware didn’t take any action to fix the vulnerability. This led to nrssr writing their patch and implementing a plan to get the public’s attention to alert FromSoftware.
“Given FromSoftware’s track record in fixing exploits within their online games, it was surprising that they would act so quickly,” Fraser says. “I wanted to ensure that the community had some protection as soon as possible.”
The__Grim__Sleeper was the target of their plan. The clip shows how the streamer’s Dark Souls3 window crashed before the Microsoft text to speech voice started reading copypasta. This incident drew many headlines over the next few days and led to speculation from the Dark Souls community about its motives. Many believe it was an attempt at raising awareness about a severe threat rather than malicious attacks. Fanbyte confirmed that nrssr’s goal was to get FromSoftware’s attention in their conversation.
LukeYui also reported on the RCE vulnerability. LukeYui revealed the NG+ cheat at Bandai Namco just before it started wreaking havoc in the community. Mod creator LukeYui describes the initial RCE discovery as “less severe” than Messrs. It can cause similar damage, but it is more difficult to replicate. Both are critical network vulnerabilities and could potentially expose more than your saved files or game accounts. LukeYui states that the RCE showed in January “can’t do a lot more,” which poses a risk to more players than the older vulnerability.
It’s not surprising to see games inundated by hackers ruining their in-game experiences. However, Kaspersky calls RCEs “one of the most serious types of computer vulnerabilities.” This can lead to the theft or hijacking of systems, loss of control, and loss of sensitive data. The Dark Souls community has been frustrated by years of cheating and continual vulnerability reports.
In speaking with LukeYui and being more affable, they were frustrated. Bandai Namco, for example, should have procedures in place to report, escalate, and investigate security vulnerabilities that could pose threats to users. However, nrssr believes the chain is unravelling somewhere. Communication problems are what FromSoftware must address, as it is difficult for the community and users to ensure that vulnerability disclosures are directed to the right people. LukeYui seems unsure what to make of all the years of inaction.
They have received communication from Bandai Namco support that stated that reports were being passed on for investigation. However, they have very little evidence to back this up.
A Bandai Namco support representative confirmed that players who were wrongly banned due to being targets of the Item Give cheat were now getting unbanned in a 2020 exchange with the Blue Sentinel creator. FromSoftware was also mentioned as a possible solution. The developers may not have been able to fix the problem. LukeYui claims that Bandai Namco has “just turned off bans on invalid items,” which means the vulnerability is still there.
There is a concern about some of the gravest threats falling by the wayside – and the urgency of this matter only grows with Eldenring at the horizon.