The person whose exploit took Souls servers offline is worried about Elden Ring

Bandai Namco has been aware of severe security flaws within its Dark Souls games for years but has failed to address them, despite numerous emails and hundreds of support tickets, it’s been alleged.

And with developer From Software’s next Souls game, Elden Ring, just weeks away from release, people who have dug into its network test net code claim it could share many of the same issues.

On January 23, Bandai Namco temporarily removed PvP servers for Dark Souls: Remastered, Dark Souls 2 and Dark Souls 3, following the discovery of a severe remote code execution (RCE) vulnerability, which was said to allow abusers to take control of other players’ PCs.

Over a week later, Dark Souls’ PC servers remain offline and there’s no word on when they’ll return.

One of the people behind the discovery of the vulnerability told VGC they had made Bandai Namco aware of the issue over a month earlier, and that neither the publisher nor developer From acted upon the warning until it was made public in a last-ditch attempt to provoke action:

Another member of the Dark Souls community told VGC they made the games’ publisher aware of a second, yet to be made public RCE as far back as in 2020 and that it remains unfixed.

The person who discovered the latest RCE alleges that there are serious issues with all of the Souls games’ shared network infrastructure and said they believe it’s “inevitable” that Elden Ring will feature many of the same exploits, which will “probably be ported without issues and used on release by malicious cheaters.”

VGC has been told there are over 100 cheats, hacks and security vulnerabilities within Dark Souls 3, some of which are listed here. Many of these will only affect PC players but can cause a variety of issues.

These range from game crashes and corrupt save data to in the most serious cases, RCE vulnerabilities, that allow malicious players to take control of the host’s PC where they can access sensitive data or install malware.

In correspondence seen by VGC, the person that discovered the latest RCE vulnerability, who wishes to remain anonymous, reported the issue via email to Bandai Namco’s support team and spent several days putting together a PDF document in a follow-up email detailing the vulnerabilities and how to fix them, along with links demonstrating the RCE in action.

“Another member of the Dark Souls community told VGC they made the games’ publisher aware of a second, yet to be made public RCE as far back as in 2020 and that it remains unfixed.”

Both emails were acknowledged by Bandai Namco’s support team, the first on Dec 11, and the second on Dec 16, with the customer service rep saying the information had been “sent to the dedicated teams so they can investigate and take the necessary measures.”

Over one month later, and disappointed with the lack of action for such a serious security vulnerability, the person that found this RCE organised a stunt in which the exploit was performed in a non-malicious way on Twitch to capture the studio’s attention so they would be forced to address it.

This worked, as PvP servers for Dark Souls: Remastered, Dark Souls 2 and Dark Souls 3 were deactivated on January 23, as From Software announced it was working on a fix for the issue.

While this issue has now been acknowledged, some within the Dark Souls community were not surprised about its discovery.

“My main reason for not being surprised is that I also reported an RCE to Bandai Namco in early 2020 and was met with the exact same radio silence,” Reddit user LukeYui tells us, who has since requested a CVE ID for the exploit.

This RCE is different to the one that was widely reported on last week and was still present in Dark Souls 3 until its servers were removed. It’s unclear if this issue, as well as the other 100+ known cheats in Dark Souls 3, will be patched alongside the vulnerability that caused the removal of the Dark Souls servers.

LukeYui has made numerous reports about cheats and vulnerabilities in Dark Souls 3 to Bandai Namco. One of the most severe and widespread is a New Game+ exploit which was first reported by LukeYui to the publisher in 2019.

This allows invading players to manipulate save file flags of the host and joined players, forcing them into an NG+ cycle and potentially corrupting save files in the process. One Dark Souls 3 player lost over 200 hours of playtime after their save file was corrupted by a hacker and has stopped playing the game as a result.

“I’ve reported many things over the years to Bandai Namco. Every time I’ve been told ‘it will be passed on to the development team’ and I never hear anything else back,” LukeYui tells us.

“My main reason for not being surprised is that I also reported an RCE to Bandai Namco in early 2020 and was met with the exact same radio silence”

Many of the reported issues remain unaddressed or unacknowledged entirely but Bandai Namco has introduced minor fixes for some issues.

One cheat allowing invading players to place hacked items into the inventory of the host (known as item injection) used to result in soft bans, but Bandai Namco no longer bans accounts for injected items. That said, the cheat can still cause permanent damage by breaking items in a player’s inventory.

When asked about the severity of security issues within the Souls games, the person that discovered the latest RCE vulnerability told VGC there are serious issues with the games’ network infrastructure.

“While it’s not much, I have modded a few other games with an online component and nothing came close to how ‘broken’ Souls networking is,” they explained over email.

“It really seems like the online is ‘pasted’ over a single-player game and no thoughts are given about security. It’s staggering how many game structs are memory-mapped into network packets and sent to other players, then used by the receiving player’s game directly. There are almost no data sanity checks.

“The way the executables are built doesn’t help either. For example, in Dark Souls 3, address space layout randomization (ASLR) is disabled and the game’s code pages are marked as RWE (Read-Write-Execute) instead of RE only, which makes exploitation of vulnerabilities into RCEs much, much easier.

“Ironically, I suspect those decisions were made specifically to facilitate the implementation of From’s anti-cheat, which also happens to be useless for stopping most cheaters.”

They also claimed that while they can’t go into specifics as to avoid giving away the exploit details, the latest RCE could be used against console players without the attacker needing a jailbroken console. [UPDATE FEB 2 ’22: Upon further investigation into the matter of leveraging the vulnerability against console players, a new roadblock was uncovered which makes it impossible for Dark Souls III. However, this roadblock does not apply to all Souls games, and there is still a possibility the exploit could be pulled off on console for other titles.]

Disappointed with the lack of action from Bandai Namco and From Software, LukeYui created the anti-chat mod, Blue Sentinel, which has over 43k unique downloads and patches more than 100 known cheats within Dark Souls 3.

“I started work on the mod in early 2021 because at that point, it was obvious that Bandai and FromSoftware weren’t taking the RCE I reported in 2020 seriously. I decided to fix it myself so that if it ever did become public knowledge, at the very least some of the player base would be protected.”

“They also claimed that the latest RCE could be used against console players without the attacker needing a jailbroken console.”

LukeYui tells us he won’t be playing Elden Ring online until a Blue Sentinel equivalent is available. A developer who is helping him maintain Blue Sentinel is currently working on an Elden Ring solution, but they say it won’t be immediately ready at release.

“I’ve had the chance to see code from the closed network test and can already tell you that there are a lot of crashes and vulnerabilities in Elden Ring’s netcode, the exact same ones as in Dark Souls III actually! So, I suspect it’s going to take five minutes for cheaters from Dark Souls III to port their scripts to Elden Ring and make release day a hellscape.”

The irony of Blue Sentinel and other protection mods is they’re discouraged by Bandai support as they violate its End User License Agreement regarding the use of external tools and programs.

“This leaves players in a position where they’re faced with two choices,” LukeYui told us. “Risk getting banned by a cheater, or risk getting banned by using an external tool to protect against cheaters.”

The Elden Ring EULA does reveal the game will use the EasyAntiCheat anti-cheat service, which works by monitoring the hardware, analysing the game binaries and scanning the hardware memory for the ‘purpose of detecting and preventing cheating.’

This EULA was last updated April 1, 2018, but LukeYui believes it won’t stop experienced cheaters.

“What it should stop is inexperienced cheaters just going around in the first day or so of the release instant killing other players and generally causing chaos,” he tells us. “What it won’t stop is people who have experience developing cheat tools which they may keep private, sell, or give away.

“This is why I highlighted my concern about whether they have actually addressed the issues plaguing their multiplayer functionality: even with the best anti-cheat software in the world if the base product (i.e. Elden Ring itself) is still exploitable to cheaters then it will be exploited.”

The person who discovered the latest RCE agreed that EasyAntiCheat should prevent most rookie cheat-users in Elden Ring, but said they have bigger concerns when it comes to severe vulnerabilities.

“I was made aware of the use of EAC in Elden Ring yesterday,” they said. “Overall, I think this will greatly help mitigate the online cheating problem in Souls games. EAC is one of the better commercial anti-cheats, and bypassing it is not trivial and requires writing a kernel driver. EAC updates also regularly break bypasses, which must be fixed by the cheat developers.

“It is imperative that From Software fixes the underlying netcode vulnerabilities for EAC to be effective in the long term.”

“While this high barrier of entry should drastically reduce the number of cheaters, I do have some concerns: It is highly possible that From will simply strap EAC on their game and ignore the flaws in their netcode that allowed cheats to do so much damage to other players in the first place.

“Indeed, while EAC is hard to bypass, professional cheat developers do it all the time. Hence while it will slow down the spread of cheats, eventually paid cheating tools which can abuse the same netcode exploits and get players banned, brick saves, crash games, etc will be available.

“It is imperative that From Software fixes the underlying netcode vulnerabilities for EAC to be effective in the long term.”

They added: “If the above point turns out to be true, EAC would hinder any community action on the problem. Indeed, community anti cheats which patch network exploits like Blue Sentinel would require an EAC bypass themselves to be usable, making them much harder to maintain.”

As for why previous issues haven’t been adequately addressed before now, everyone we spoke with suggested a variety of reasons, from reports not getting passed to the right teams to communication issues between international offices.

There is no direct way of reporting security vulnerabilities with From Software games.

Nearly a week after From Software publicly acknowledged the latest RCE issue, the person that discovered it says they haven’t received further correspondence on how or when it will be addressed.

“Right now I’m waiting on FromSoftware to announce their plans regarding the servers: are they staying down, are they working on a fix, etc,” they said.

“My original plan was to fully disclose the exploit details after I could confirm the fix or server end of life was declared, but it’s already been a few days and no news. I’m thinking about announcing a deadline after which I will make exploit details public no matter what.”

Bandai Namco did not immediately respond to a request for comment.