[SOLVED] IMPORTANT: PC version vulnerability

[Squishy-kun_Matt]

If I had to toss out a guess, I would say that they held off making any public statement until they had a fix in the works. We will see that fix, probably 1.12, once it completes QA and certification.

Would that be the same QA that said the game was ready to launch? I'm no programmer, but I have worked in QA before. CDPR's level of error deviation on the quality of their work is severely lacking. Sure, any product or service is bound to have it's share of faults however, to release a product that is not up to standard is just irresponsible!

 

[ElsonsoJannus]

Would that be the same QA that said the game was ready to launch?

I usually refer to those people as "management".

 

[BabaBooey88]

Would that be the same QA that said the game was ready to launch?

Seems about right..

 

[a3n3a]

Could this explain why after about 3 hours of play the FPS is halved ? Because I had tested this mode, but I took it off a while ago !

mode = the cyber engine tweaks mod?

No that's very unlikely. This is a security vulnerability and although it could be exploited and have as a side effect performance issues, I don't think that's likely.

If you've downloaded the mod from the trusted sources (Github / their site) you should be fine.

Tbh, to mitigate the mistrust CDPR has now sown, modders could provide a (md5 or sha1) hash of their files, so the consumer can check if the files have not been modified or are fakes.

But then you'd have to trust the modder in the first place...
ah yes, cyber security requires a healthy amount of paranoia...

A last hint: you can always drop executables or dlls in a (online) malware analysis sandbox like
https://www.joesandbox.com/#windows

Be careful & stay safe ...

Please CDPR, fix this

 

[-PixelRick-]

Intersting. For that to happen, a malicious save file or mod archive has to be on the PS4 such that the game will read it. I wasn't aware that this was something a common user could do.

Well we have seen a few people using ps4wizard to edit their console saves, so it looks like an average user can import/export saves from/to ps4.
Anyway, the original comment was about jailbreaking ps5 and xsx.. and it is the sort of vuln that will be used to break into xbox series x and ps5 (xsx is directly vulnerable by the full attack since it is running windows and probably just runs the pc version.., as for ps5 i can only speculate that it will still be a linux kernel so it would need a different second vuln).

 

[moonknightgog]

Shifting the blame to modders when they are the only ones that can save this game long term, incredible. You should cooperate with them and support them, not blame them

 

[neragip790]

Might be a good time to draw consequences from decisions made.

 

[imrandaredevil666]

Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.

WHAT THE ACTUAL F? WHAT A CRAP SHOW

 

[iCake]

Okay, am I the only one who doesn't see where all those "CDPR shifted all blame on modders" comments come from? The original comment only confirms that there's indeed a vulnerability and suggests that we use caution when dealing with mods/custom saves that come from unknown sources, as in use common sense, pretty much how you would do it anyway when modding your game?

 

[GHOSTMD]

WHAT THE ACTUAL F? WHAT A CRAP SHOW

Oh sweet summer child.... and yes that sounds as bitter as it can get.
Trust me when i say, during nearby a decade in this community, i have seen some crap
going down, but what is going on now, i think is bad it is really bad. As things are now
and how i see it, it ll get even worse. It is so sad, to see this happen.

The point is, blaming games will bring us nowhere. Not sure how thing can get better
at this point, not anymore. (and yes what i say here is watered down quite heavy)

 

[Zhijn]

Okay, am I the only one who doesn't see where all those "CDPR shifted all blame on modders" comments come from? The original comment only confirms that there's indeed a vulnerability and suggests that we use caution when dealing with mods/custom saves that come from unknown sources, as in use common sense, pretty much how you would do it anyway when modding your game?

Im no modder or software engineer, but i think they are refering to CDPR blaming it on external DLL files which looks like shifting that blame on mods/custom saves knowingly or unknowingly.

Either way, this topic is some juicy reading

 

[iCake]

Im no modder or software engineer, but i think they are refering to CDPR blaming it on external DLL files which looks like shifting that blame on mods/custom saves knowingly or unknowingly.

Either way, this topic is some juicy reading

As in dependencies, right? Either way, they didn't say that those .dll files must come from modders to make use of the exploit.

 

[BabaBooey88]

As in dependencies, right? Either way, they didn't say that those .dll files must come from modders to make use of the exploit.

How people can read the same statement and see something completely different, especially on this board, is incredibly baffling to me.

 

[iCake]

How people can read the same statement and see something completely different, especially on this board, is incredibly baffling to me.

One should take a statement as a whole, rather than poke at individual words that suit their point. What the statement says is that there's a vulnaribility in some external .dll files the game depends on as in those .dlls are not from mods to begin with and that one should use caution when modifying the game code as in use mods as there is a risk that the mod you chose might just take advantage of the vulnarability.

Now that the CET creator says that the vulnarability does not come from some dependecy .dll but rather from the native game code is a valid point, if it is indeed the case. Still, CDPR never said that it's all modders and if you refrain from using modded files you're totally exempt from the the vulnarability. They simply admitted there's a potential exploit and using external files from unknown sources might lead to that vulnarbility being exploited on your system.

 

[yyb0568]

To be honest CDPR's technology is really bad, CDPR wake up, stop making so much false hype, use the money you make from 2077 to recruit some really good programmers, your technology and management can't keep up with your ambition, if you don't solve these basic problems, your next game will only be worse than 2077.

 

[AleXiC94]

Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.

 

[Yoroshiku]

Guys I think you are just misinterpreting a message from CD Project, I'm sure this exploit will be something that is addressed in patch 1.2

 

[ElsonsoJannus]

As in dependencies, right? Either way, they didn't say that those .dll files must come from modders to make use of the exploit.

True. The statement actually did not give enough information to determine where the "external DLL" came from. People just assumed that they were pointing at the modding community. My belief is that this is an incorrect assumption.

 

[katsaroulhs]

Shifting the blame is becoming common practice I see.

"Please do not blame our developers, the board and myself were responsible for the game being released in this state."
"BTW, our QA testers didn't find any of the problems you guys are seeing as soon as you boot the game haha."

 

[-PixelRick-]

True. The statement actually did not give enough information to determine where the "external DLL" came from. People just assumed that they were pointing at the modding community. My belief is that this is an incorrect assumption.

Their statement can be misinterpreted, that is why some articles thought it was about executable mods. They also only talk about a dependency (xinput1_3.dll) as being the problem, but it's a combined vulnerabilities exploit that starts with a buffer overflow in Cyberpunk2077.exe (not really a third-party dll, is it ?).

Also it is not a Remote Code Execution but Arbitrary Code Execution, thus it has lower impact (although you could get hacked by just using someone else's account since save files are stored on the cloud).

There are tons of mods that are safe to use and it is not fun for creators to have to deal with users that are now scared for the wrong reasons and about the wrong things.

Hopefully it has been discovered early, CDPR did react and prepared a patch. The only sad thing is that it's slower than with other big companies, and it is putting the modding community on hold until then.
It is also my fault as the info shouldn't have been leaked this early, I talked in the wrong channel on discord :/

I'm now just waiting for the patch to come, to end all this bad press. I love the game and will continue to dev tools for it.
I wish the world wasn't constantly waiting for any excuse to burn.