At the height of the ever-growing Elden Ring hype in early Jan. this year, it was announced that the online portion of the PC-based series of Dark Souls games would be shut off due to major vulnerabilities. The issue given via publisher Bandai Namco and developer FromSoftware was a remote code execution (RCE), titled CVE-2022-24126, which allowed nefarious users the ability to take over and control another user's PC literally.
As of writing, all four of the mainline Dark Souls titles (including both Dark Souls: Remastered and Dark Souls: Prepare to Die Edition) on PC remain solely offline for a total of 113 days, which doesn't mean people can't play them, but does disallow the fundamental crux behind their replayability: invasions and duels. Despite only being slightly touched upon in Bandai's first announcement, these critical security flaws afflicting the Dark Souls games have remained rather cloudy.
Initial reports were mainly headed by the community, as the official Dark Souls Twitter itself relays in its first correspondence on the matter, citing "recent reports of an issue with online services." One such individual was modder LukeYui, who also reported concern on these vulnerabilities seeping into Elden Ring, as the games all share the same netcode.
While Elden Ring does have a plethora of online PC-based issues, most prominent among them being a previous exploit that allowed invaders to send players into the bottom of the map, thereby ruining their saves, it has remained safe from the ones forwarded by the community on Dark Souls, as those were far more severe. But any official word on such critical flaws has not been enlightened any further...until now.
Related Article: 'Dark Souls 3' PC Gamers Beware! Dangerous Exploit Allows Hackers to Hijack Computers
Headed by data analytics and intelligence insight firm Flashpoint, a proper understanding of the critical issues affecting the network functionality of the Dark Souls series on PC has now been highlighted. The major concerns purported by the company include the following, which either FromSoft or Bandai has not detailed:
- CVE-2021-34170 - similar to the aforementioned RCE exploit, this vulnerability gives bad actors the ability to run arbitrary code to take control over a user's PC and perform malicious tasks. Its CVSSv2 score sits at a terrifying level 10 level threat, the highest possible score on the chart. The other RCE vulnerability, which Flashpoint aptly coined "PaleTongue," has a CVSS score of 9.3, for perspective.
- CVE-2022-24125 - This is the most frightening of the bunch. When utilized in tandem with the PaleTongue RCE exploit, this vulnerability would allow hackers to then send out a shellcode, afflicting not just the one user but hundreds of thousands of online users all at once.
In addition to shining a light on these other two vulnerabilities, Flashpoint likewise details some interesting concepts surrounding how both FromSoft and Bandai might be targeting these issues. It notes in its intro that the company did reach out to Bandai for more information and data sharing, but the publisher did not respond. Still, Flashpoint notes that while "it is possible that FromSoftware is patching...CVE-2022-24125...Dark Souls could still be at risk if CVE-2021-34170 is not patched by the time servers come back online."
William Tremblay, who initially discovered the PaleTongue exploit, does leave mention within the blog post that "All the significant [vulnerabilities], including 2021-34170, were fixed in Elden Ring. Hence, I would expect [FromSoftware] to fix them in Dark Souls III (or any older games affected by this vulnerability) as well." Tremblay was also assured via email that Elden Ring is not affected by any of the aforementioned issues that still plague the network functionality of Dark Souls.
No word, however, by either FromSoft or Bandai has alleviated the fanbase's concerns, but given the amount of time already expended and the relative security afforded on Elden Ring, it's safe to say these exploits will eventually be amended for Dark Souls in due time. It's a shame the fanbase has had to wait for so long for any information or further details, even an official timeline, on such issues and fixes, but with Elden Ring and its potential DLC, FromSoftware have a lot on their plate currently, thus previous entries are the least of their concerns at the moment.