Dark Souls 3 Servers Shut Down Due to Critical RCE Bug

The bug can allow attackers to remotely execute code on gamers’ computers. The devs temporarily deactivated PvP servers across multiple affected versions.

There’s a dangerous remote-code execution (RCE) bug in the Dark Souls video game that could let attackers brick the PCs of online players.

The flaw could allow attackers to do pretty much anything: As Kaspersky researchers explained on Monday, the bug “allows an attacker to execute almost any program on the victim’s computer, so they’re able to steal confidential data or execute any program they wish” – that includes installing malware, letting them access sensitive information or enabling them to rip off resources for cryptocurrency mining.

The main problem is with Dark Souls III, but the remote code-execution (RCE) vulnerability also affects earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player (PvP) servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.

This same bug is reportedly an issue in the Elden Ring game.

Infosec Insiders Newsletter
On Sunday, the developers said that the bug is only relevant for PC users and that Xbox and PlayStation consoles are unaffected.

The danger was brought to light on Saturday, when game fan SkeleMann urged players to steer clear of playing Dark Souls 3 online. “On PC there is a new, very serious exploit plaguing Dark Souls 3 which can cause lasting damage to your computer,” SkeleMann explained. “This could brick your PC, let your login information be shared or execute programs in the background, like a trojan horse.”

There’s a demonstration of the exploit in the Twitch stream of a player named The_Grim_Sleeper. In that stream, an unknown party launched a PowerShell script on the streamer’s computer that used the Windows Narrator engine to read out critical notes about the gameplay.

Whoever’s behind the attack apparently had benign intentions: According to a screenshotted post on the SpeedSouls’ Discord – a group focused on speedrunning, or playing video games as fast as possible – they were just trying to bring attention to the problem after having not heard back from the game’s developers about the vulnerability. Since they hadn’t heard back, they decided to hijack a popular streamer during a streaming session.

That doesn’t mean that the bug won’t be abused at some point, Kaspersky pointed out. “For example, the creator of the exploit has already shared information about the vulnerability with the developers of the Blue Sentinel plugin, a mod for Dark Souls designed to counteract cheats,” they wrote. “And one can only guess who else could get this information.

“Also, once demonstrated, other hackers may try to replicate the exploit and use it to cause real harm to players,” researchers continued. “There are various possible scenarios here: attackers can use it to steal passwords from game accounts or crypto-wallets, install good old ransomware, hidden miners and much more.”

How Gaming Brings Risk to Corporate Networks

Saryu Nayyar, CEO and founder of Gurucul, noted that this attack points to the risk of remote workers using home networks and personal devices to access corporate resources.

“As we connect our gaming systems to the same network as resources that attach to the corporate network, the infection can easily spread from home to a much bigger operation,” she noted.

That’s why it’s critical for security teams to understand how users are accessing network resources and to incorporate that information into an assessment of the risks and the severity associated with attack campaigns, she added. “This is where identity, and specifically access analytics, incorporated into next-generation [security information and event management or SIEM] can narrow down indicators of compromise and determine malicious behaviors hiding as authorized user activity.”

RCE vulnerabilities are nothing new, but they’re dangerous when no one knows they exist, noted Jorge Orchilles, CTO of SCYTHE.

“We see threat actors use RCEs all the time, especially when the vulnerabilities do not have a patch available,” he told Threatpost on Monday.

Companies affected by these types of vulnerabilities “need to take immediate action to protect their customers by releasing patches,” he stressed. “Meanwhile, gamers affected should monitor their systems for abnormal activity such as crypto-miners.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles