Bandai Namco, publisher of the Dark Souls role-playing game series, has taken down its player-versus-player servers while it investigates reports of a serious vulnerability that allows players to execute malicious code on the PCs of fellow players.
Word of the critical remote-code-execution flaw emerged over the weekend in Reddit threads here and here. An exploit that hit a user named The_Grim_Sleeper was captured in a video stream posted over the weekend. Starting around 1:20:22, the user’s game crashed, and a robotic voice mocked his gameplay and maturity level.
“What the fuck,” The_Grim_Sleeper said in response. “My game just crashed, and immediately Powershell opened up and started narrating a fucking” screed. “I didn’t even know that shit was possible.”
Details about the vulnerability weren’t immediately available. Initially, reports said the vulnerability resided in Dark Souls 3. On Sunday, Bandai Namco representatives said the company was removing PvP server play for Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered as it investigated the reports. The tweet also said that Dark Souls: Prepare to Die would be affected.
Based on the description and the demo on Twitch, the vulnerability sounds critical because it allows hackers to remotely execute code of their choice on PCs as they play the games against other players. That means attackers could conceivably install ransomware, keyloggers, remote access trojans, or other malicious wares when they’re connected to the same PvP server as a target.
In many respects, the vulnerability resembles that Log4j vulnerability that surfaced late last month. That vulnerability made it possible for Minecraft players to execute malicious code on the PCs or servers of fellow players.
Few details are available about the Dark Souls vulnerability, so its cause is not immediately clear. There’s no indication, at least at the moment, that Dark Souls for Xbox or Playstation are affected.
Blue Sentinel, a community-developed Dark Souls mod designed to counteract cheats, has already introduced an update that mitigates attacks, but until Bandai Namco gives players the all clear, players are best off staying away from player-on-player gaming.
Representatives from the game maker didn’t immediately respond to a request for comment.