Fraud Management & Cybercrime , Incident & Breach Response , Security Operations
Dark Souls 3 Video Game Reportedly Has Exploitable Flaw
Vulnerability Could Allow Takeover of a Player's System; Servers Taken OfflineStay tuned for updates on this developing story.
See Also: On Thin ICES: Augmenting Microsoft 365 with Integrated Cloud and Email Security
A community of gamers was alarmed by a remote code execution flaw discovered over the weekend in the popular gaming series Dark Souls. While Bandai Namco Entertainment Inc., the developer of the game, has not formally confirmed details of the flaw, the official Dark Souls Twitter confirmed that servers for Dark Souls, Dark Souls 2, Dark Souls 3 and Dark Souls: Prepare to Die had been "temporarily deactivated" to investigate what the developers are calling "reports of an issue with online services."
PvP servers for Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered have been temporarily deactivated to allow the team to investigate recent reports of an issue with online services.
Servers for Dark Souls: PtDE will join them shortly.
We apologize for this inconvenience.— Dark Souls (@DarkSoulsGame) January 23, 2022
A game developer reportedly discovered the exploit and reported it to Bandai Namco Entertainment. A series of posts to Reddit and other online forums have led to wider discussions about the vulnerability, security firm Kaspersky reports in a blog post.
Dark Souls is a popular third-person role-playing game, or RPG, and can be played on consoles such as PlayStation and Xbox, and PCs.
Bandai Namco Entertainment didn't immediately respond to Information Security Media Group's request for technical details about the vulnerability.
Details of the RCE Flaw
At this time, the vulnerability has not been officially cataloged, although the subject of who discovered the exploit is widely being discussed on Reddit, where users are also speculating that a non-malicious person was responsible.
The RCE flaw, which gamers are discussing online, has been demonstrated by a Twitch streamer known as The__Grim__Sleeper. As he was livestreaming game play, suddenly his game crashed and Microsoft PowerShell launched. From there, an unknown operator took over control of the gamer's account and began making comments through Windows Narrator. Allegedly, the exploit has not been used by malicious hackers in the wild and was discovered by a nonmalicious party that has been trying to bring awareness to unsafe features in the Dark Souls series, according to a post in the SpeedSoul's Discord.
Some researchers, however, are questioning the manner in which the public has been alerted to the exploit. To date, it has not been confirmed whether the vulnerability was previously divulged to Bandai Namco Entertainment before leaking it to the public.
"Despite the ethically dubious way of drawing attention to the problem, the person behind the attack apparently was not trying to cause any real harm," says Kaspersky's blog.
A Reddit moderator posted more information about the RCE flaw, which he said had been patched by Blue Sentinel, which is a downloadable, anti-cheat extension tool.
Gamers on the Elden Ring Reddit threat, r/Eldenring, said that the RCE flaw that had been reported in the Dark Souls games could allegedly be exploited in this game series as well. In response to a post, Bandai Namco Entertainment wrote: "Thanks very much for the ping, a report on this topic was submitted to the relevant internal teams earlier today, the information is much appreciated!"
Gamers are being advised by Reddit moderators to take the game offline. Reddit users discussing the vulnerability online say that the RCE vulnerability could lead to a malicious hacker stealing sensitive information or installing malware.
While not much is known about this flaw yet, this would not be the first time a critical flaw was found in a popular video game. Minecraft, for example, was where a critical vulnerability was first discovered in the widely used Adobe Log4j logging software. That flaw, designated CVE-2021-44228 and also known as Log4Shell, ultimately turned out to be present in thousands of applications that use the Log4j software, including Minecraft.