Dark Souls 3 is the third installment of the massively popular Souls franchise of games developed by FromSoftware and published by Bandai Namco Entertainment. On January 22nd, 2022, it was made public that a flaw in Dark Souls 3‘s online PvP feature could expose players of the PC edition of the game to one of the most severe types of cybersecurity vulnerabilities – remote code execution.
Remote Code Execution?
Remote Code Execution (RCE) is a class of cybersecurity vulnerabilities in which an attacker is able to execute code on a target machine remotely, without the user’s knowledge or consent. The attacker is able to leverage this to gain total control over the target machine – as if they had physical access to it. This is an absolute worst-case scenario for any user or system administrator, and it exposes them to a variety of threats, including:
- The theft of sensitive data.
- Spyware, including keyloggers and screen/webcam/microphone capture.
- Ransomware attacks.
- Cryptocurrency mining.
- Total destruction of the operating system and all other data.
- Access to other devices on the target’s local network.
Basically, anything bad that could ever be done to a computer (short of pulverizing it into dust with a Blendtec™ blender).
Coordinated Vulnerability Disclosure
In the field of cybersecurity, new vulnerabilities are being discovered every hour of every day. You may be thinking: “Well gee, if that’s true then everyone would be at risk of being hacked all the time!” – and yes, this is true to some extent. However, vulnerabilities are frequently discovered by individuals who operate ethically within the field of cybersecurity (often independent security researchers). When it comes to vulnerability disclosure, such individuals will typically follow the principles of Coordinated Vulnerability Disclosure (CVD).
According to The CERT Guide to Coordinated Vulnerability Disclosure, “Coordinated Vulnerability Disclosure is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders, including the public.”
An ideal CVD process might go like this: the discoverer of a vulnerability privately discloses the vulnerability to the vendor of the affected software/hardware, who responds promptly and takes the issue seriously. The discoverer coordinates with the vendor, and gives them adequate time to resolve the issue before the vulnerability is disclosed publicly.
Back to Dark Souls
So how about the vulnerability affecting Dark Souls 3? Was that disclosed properly? Like a lot of things in life, it’s complicated. One of the first public disclosures of the vulnerability occurred during a Twitch stream of the game, in which the attacker reportedly executed a Microsoft Powershell script on the streamer’s computer. Not ideal. However, it is reported that the individual who performed the exploit (presumably the discoverer) did try to contact FromSoftware and Bandai Namco Entertainment (the vendors) in order to disclose this vulnerability privately, but was repeatedly ignored.
CVD is a two-way street; it requires both the discoverer and the vendor to communicate and coordinate. So what happens if the discoverer is stonewalled by the vendor? The CERT guide says this: “the goal of CVD is to help users make more informed decisions about actions they can take to secure their systems. Sometimes it becomes obvious that the coordination of a disclosure has failed. In these cases, it may make more sense to publish earlier than expected than to continue to withhold information from those who could use it to defend their systems.“
The question remains, then. Was the RCE vulnerability affecting Dark Souls 3 disclosed properly? I believe that it was. I think that the discoverer of the exploit was correct in disclosing the vulnerability publicly after it became apparent that the developer and publisher were adamant on ignoring it. The players of the game became aware of the risks associated with using the PvP feature of the game, which allowed them to make informed decisions in securing their systems. Furthermore, the bad press surrounding this vulnerability has forced FromSoftware to respond to this issue; all PvP servers for all games in the Souls franchise have been taken down while they investigate.
Sources:
- https://www.theverge.com/2022/1/22/22896785/dark-souls-3-remote-execution-exploit-rce-exploit-online-hack
- https://kotaku.com/dark-souls-servers-down-due-to-exploit-that-could-give-1848407285
- https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/
- https://www.checkpoint.com/cyber-hub/cyber-security/what-is-remote-code-execution-rce/
- https://blog.sqreen.com/remote-code-execution-rce-explained/
- https://www.microsoft.com/en-us/msrc/cvd
- The CERT Guide to Coordinated Vulnerability Disclosure
Such an informative post, also the way that a computer vulnerability is exploited depends on the nature of the vulnerability and the motives of the attacker. These vulnerabilities can exist because of unanticipated interactions of different software programs.
I read that this bug affects only PC gamers, and consoles are unaffected. I guess that’s a +1 for consoles? On a serious note, going forward it seems like a good practice would be to have two computers, one for gaming and one for other stuff.
Imagine a scenario where someone who plays Dark Souls on PC uses that computer to remote access another server to work from home (especially in these times). This risk could now be transferred to corporations/public institutions.
From my understanding, no one actually used this vulnerability in a malicious way, which could explain the lack of urgent response from the game’s development team. As usual companies are more pressured towards reactive action, as opposed to proactive action. I think whoever discovered, and disclosed the exploit was pressured to do this by the lack of response, so good on them for notifying users about an important safety concern.
Really cool post, I’m a big fan of video games so its nice to see posts about the topic. Unfortunately the story behind the post is not so nice since its about people getting hacked. It’s crazy to think that people were getting hacked because of an online PvP feature for a video game. And it was not just information theft, but actually getting full access to someone else’s PC from a video game. I was shocked to hear that the developers of the game did not do anything when the issue was brought to their attention, but I guess big companies are like that sometimes. The fact that the person who discovered the issue didn’t use it in any malicious way and actually brought attention to the problem is really nice to know. Hopefully they got the issue solved.
It’s great to see that the developers are finally taking this seriously. I also agree that the person who discovered this was justified in posting this vulnerability publically, especially since the vulnerability involves RCE. I’m not too surprised that the developers didn’t send any sort of response until some backlash came along. From my experience with any of the Souls games, security is usually pretty terrible. It was somewhat common to find a cheater/hacker when doing any sort of multiplayer. At worst, they could get you banned or reset your game (don’t know if this was patched yet). The community has its own anti-cheat which really says something about how responsive Fromsoft is with this kind of stuff.
I clicked for the punny article title.
I left with genuinely new and surprising information.
“Was the RCE vulnerability affecting Dark Souls 3 disclosed properly?”
For the hacker (let’s call him Bob) who was trying to bring awareness to this problem, “Bad Press is still Good Press”.
However, in Bob’s mission to create awareness, I wonder how many hackers & malicious actors Bob also unintentionally made aware of the vulnerability. It was for the greater good (as the problem was solved), however, I can see why “how” Bob disclosed this issue can bring its own problems.
Overall, I shared this with my friends – (a) who are big fans of online PvP gaming and Dark Souls and (b) half own a CPSC degree – and it was quite surprising how many of us never heard of remote code execution. I really enjoyed how clear and concise this information was presented.
Thanks for the great article!
Interesting post. I thought that the game developers would want to hear of security faults in their game to protect their users and make the game more enjoyable but it seems that some game developers only care about getting their products out *cough* FNAF *cough*. I agree with your comment on the disclosure of the vulnerability. The discoverer tried to tell the developers and they did not listen so he/she showed them how dangerous the vulnerability was. In this case bad press is not better than no press and the developers could have dealt with the vulnerability quietly. Instead they lost the trust of their players and the respect of any other game developers.
I wonder if this has any connection to the log4j and shell exploits that cropped up recently? I remember hearing about it due to the RCE exploits allowed inside of Minecraft, as that is game created mostly, if not entirely in Java if memory serves correctly. Sounds like Mojang took a much more aggressive response than FromSoftware did, probably due to the difference in player bases? Either way, this is scary stuff. Exploits that allow executions at the command line are definitely not something that should be ignored so I’m pretty disappointed in the lack of communication on FromSoftware’s part. That said, I’m happy it was resolved with (seemingly) minimal damages, if any at all.
This is a very informative post. It’s very concerning to me that FromSoftware ignored the individual who had found the exploit, and that they only responded after the bad press came out. Dark Souls 3 was released in 2016, the fact that an exploit has been found now may imply there are more games out there with multiplayer servers that have security vulnerabilities. Hopefully this story can be an industry-wide learning experience, and prompts every other game developer with online multiplayer games to check for potential exploits.
It is scary to think that games we play especially a quite popular one like dark souls 3 can lead to these vulnerabilities and exploits in our systems with some possibly still being out there that have yet to be discovered. I agree with you that this vulnerability was disclosed properly. If they had already attempted to contacted the developers and were ignored, then this seems like a less harmful way to get the attention of and warn not just the developer but the public and users of the potential vulnerability even with the potential risks of disclosing such info.
Great post! My thoughts are that since it is apparent that FromSoftware and Bandai Namco had opted to neglect this vulnerability, it seems inevitable that someone would end up exposing it. Needless to say, the company got lucky that this certain someone did so for ethical reasons. It is the seller’s job to ensure that the quality of their product. Ideally, a customer should not have to be barred from using ANY of the product’s intended features (ex. PvP). With that being said, the fault lies entirely with FromSoftware and Bandai Namco. I applaud whoever disclosed this malicious bug – even if it was done publicly. It ensured that the problem could be dealt with as quickly as possible.
Great article. It is unfortunate that the neglect of FromSoftware and BandaiNamco has left the online aspect of one of their most popular games suspectible to one of the worst cybersecurity vulnerabilities, RCE. I liked how you provided context to the questionably ethical method of exposing the vulnerability through your CVD section. Nonetheless, I believe the method in which the vulnerability was exposed (executing a Powershell script to read text) is quite harmless in comparison to the many things that could have been done. Not to mention the effectiveness of having it done through Twitch, one of the most popular streaming platforms, allowed the issue to gain much more traction than it would have normally.
Haha as many others have commented, great title to your blog post. I found your blog post from Kell Larson’s post about a similar exploit (RCE from the Adobe commerce service). Since I often play games it is a scary thing what is possible when third parties find backdoor entries like this one that essentially give them free reign on what the could do on your computer. Thankfully the person who found it had good intentions and I even looked up the Twitch stream in which the exploit was shown off (harder than it sounds since the vod had been removed) and the text-to-speech message was pretty funny.
its more than a bit frustrating that this vulnerability was brought up to the developers/publisher, and repeatedly ignored. You would think that they would take these kinds of claims very seriously, especially considering the public damages that can, and in this cases did, occur both to their product and their reputation. In your opinion, should there be more of a framework for rewarding people that come forward with vulnerabilities?