[Bug 2142520] [NEW] bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-kernel-accessories
Alexandra
2142520 at bugs.launchpad.net
Mon Feb 23 21:45:45 UTC 2026
Public bug reported:
Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04 via
ubuntu-kernel-accessories
Package: ubuntu-kernel-accessories
Affects: Ubuntu Server 24.04 LTS (Noble)
Severity: Medium, perhaps High.
Type: Security / Default Install Policy
Description:
-----------
When auditing my system, I came across "bpfcc-tools", without recalling
I ever installed it. (turns out I did not).
A default Ubuntu Server 24.04 installation silently installed `bpfcc-
tools` and `bpftrace` via the following dependency chain:
ubuntu-standard
-> ubuntu-kernel-accessories (Recommends)
-> bpfcc-tools
-> bpftrace
Since apt honors Recommends by default, these packages are installed on
a default Ubuntu Server deployment without any explicit user action or
notification. This is worrisome.
Security Impact:
---------------
`bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
level eBPF-based surveillance capabilities including:
- `bashreadline-bpfcc` - captures all bash input system-wide including passwords typed at prompts
- `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
- `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root sessions
- `opensnoop-bpfcc` - traces every file open call system-wide
- `execsnoop-bpfcc` - traces every process execution system-wide
If an attacker gains any foothold on the system, these tools are
immediately available without needing to install anything, transfer any
files, or trip any integrity checks. The tools are already present,
already trusted, and already have kernel-level access by design.
"Living off the land" attacks:
-----------------------------
These tools make sniffing TLS connections, access bash shells, sockets,
prompts, and more, accessible by default. (including to insiders with
access to the same server)
Tools that are frequently abused in post-exploitation:
- sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS sniffer that can intercept encrypted traffic in plaintext from within the host. It should almost never be on a production server.
- ttysnoop-bpfcc can attach to TTY sessions and record everything typed by other users, including root. This is a surveillance/credential-harvesting tool.
- sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can expose sensitive IPC data.
- bashreadline-bpfcc and bashreadline.bt hook into readline and capture everything typed in bash shells system-wide, including passwords typed at prompts.
- opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful for discovering secret file paths.
- execsnoop.bt traces every process execution system-wide. Fine for debugging, dangerous if an attacker uses it to watch for privileged operations.
The entire bpfcc / bpftrace suite is a risk surface.
Insider Threat Concern:
----------------------
Because these tools are installed by default and have legitimate
surveillance-like behavior by design, any subtle malicious modification
to the package would be extremely difficult to detect. The delta between
legitimate and malicious behavior could be as small as an additional
network exfiltration call, which would blend into the tool's normal
operation profile.
Why this is might be a valid concern:
--------------------------------------
It slowly introduces things that are risky, then let everyone warm up to it and then have it by default in Ubuntu. The XZ attacker's playbook applied here:
The XZ backdoor author spent two years:
- Making legitimate contributions
- Building trust with maintainers
- Slowly gaining commit access
- Finally inserting the backdoor in a compressed binary blob that was hard to review
We never know what state-actors are up to, and if they are infiltrated
and warming people up to accept snooping tools in their Ubuntu by
default. Perhaps I am wrong, but what if I am not?
Verification:
-------------
apt-cache policy bpfcc-tools
apt rdepends bpfcc-tools
apt depends ubuntu-kernel-accessories
Steps to reproduce:
-------------------
1. Install Ubuntu Server 24.04 LTS with default options
2. Run: dpkg -l | grep bpfcc
3. Observe bpfcc-tools installed without explicit user request
Expected behavior:
-----------------
bpfcc-tools and bpftrace should not be installed by default on
production servers. They should be available as explicit opt-in packages
for administrators who specifically need kernel-level observability
tooling.
Suggested fix:
--------------
Remove bpfcc-tools and bpftrace from the Recommends list in `ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools meta-package that administrators can explicitly install when needed.
Workaround:
-----------
apt remove bpfcc-tools bpftrace
apt remove ubuntu-kernel-accessories
apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-standard
Reporter: flaneurette
Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic
-
** Affects: ubuntu-meta (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/2142520
Title:
bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-
kernel-accessories
Status in ubuntu-meta package in Ubuntu:
New
Bug description:
Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04
via ubuntu-kernel-accessories
Package: ubuntu-kernel-accessories
Affects: Ubuntu Server 24.04 LTS (Noble)
Severity: Medium, perhaps High.
Type: Security / Default Install Policy
Description:
-----------
When auditing my system, I came across "bpfcc-tools", without
recalling I ever installed it. (turns out I did not).
A default Ubuntu Server 24.04 installation silently installed `bpfcc-
tools` and `bpftrace` via the following dependency chain:
ubuntu-standard
-> ubuntu-kernel-accessories (Recommends)
-> bpfcc-tools
-> bpftrace
Since apt honors Recommends by default, these packages are installed
on a default Ubuntu Server deployment without any explicit user action
or notification. This is worrisome.
Security Impact:
---------------
`bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
level eBPF-based surveillance capabilities including:
- `bashreadline-bpfcc` - captures all bash input system-wide including passwords typed at prompts
- `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
- `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root sessions
- `opensnoop-bpfcc` - traces every file open call system-wide
- `execsnoop-bpfcc` - traces every process execution system-wide
If an attacker gains any foothold on the system, these tools are
immediately available without needing to install anything, transfer
any files, or trip any integrity checks. The tools are already
present, already trusted, and already have kernel-level access by
design.
"Living off the land" attacks:
-----------------------------
These tools make sniffing TLS connections, access bash shells,
sockets, prompts, and more, accessible by default. (including to
insiders with access to the same server)
Tools that are frequently abused in post-exploitation:
- sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS sniffer that can intercept encrypted traffic in plaintext from within the host. It should almost never be on a production server.
- ttysnoop-bpfcc can attach to TTY sessions and record everything typed by other users, including root. This is a surveillance/credential-harvesting tool.
- sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can expose sensitive IPC data.
- bashreadline-bpfcc and bashreadline.bt hook into readline and capture everything typed in bash shells system-wide, including passwords typed at prompts.
- opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful for discovering secret file paths.
- execsnoop.bt traces every process execution system-wide. Fine for debugging, dangerous if an attacker uses it to watch for privileged operations.
The entire bpfcc / bpftrace suite is a risk surface.
Insider Threat Concern:
----------------------
Because these tools are installed by default and have legitimate
surveillance-like behavior by design, any subtle malicious
modification to the package would be extremely difficult to detect.
The delta between legitimate and malicious behavior could be as small
as an additional network exfiltration call, which would blend into the
tool's normal operation profile.
Why this is might be a valid concern:
--------------------------------------
It slowly introduces things that are risky, then let everyone warm up to it and then have it by default in Ubuntu. The XZ attacker's playbook applied here:
The XZ backdoor author spent two years:
- Making legitimate contributions
- Building trust with maintainers
- Slowly gaining commit access
- Finally inserting the backdoor in a compressed binary blob that was hard to review
We never know what state-actors are up to, and if they are infiltrated
and warming people up to accept snooping tools in their Ubuntu by
default. Perhaps I am wrong, but what if I am not?
Verification:
-------------
apt-cache policy bpfcc-tools
apt rdepends bpfcc-tools
apt depends ubuntu-kernel-accessories
Steps to reproduce:
-------------------
1. Install Ubuntu Server 24.04 LTS with default options
2. Run: dpkg -l | grep bpfcc
3. Observe bpfcc-tools installed without explicit user request
Expected behavior:
-----------------
bpfcc-tools and bpftrace should not be installed by default on
production servers. They should be available as explicit opt-in
packages for administrators who specifically need kernel-level
observability tooling.
Suggested fix:
--------------
Remove bpfcc-tools and bpftrace from the Recommends list in `ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools meta-package that administrators can explicitly install when needed.
Workaround:
-----------
apt remove bpfcc-tools bpftrace
apt remove ubuntu-kernel-accessories
apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-standard
Reporter: flaneurette
Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic
-
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2142520/+subscriptions
More information about the foundations-bugs
mailing list