[Bug 2142520] Re: bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-kernel-accessories

Mon Feb 23 22:08:17 UTC 2026

Reference: Ubuntu Specification US094 "Kernel Accessories Seed and Metapackage"
https://discourse.ubuntu.com/t/spec-kernel-accessories-seed-and-metapackage/43133
Created: 2023-02-02, Author: Robie Basak

Is particularly concerning that snooping tools are now default in
Ubuntu. Most sysadmins are unware of this. (including myself until
today)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/2142520

Title:
  bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-
  kernel-accessories

Status in ubuntu-meta package in Ubuntu:
  New

Bug description:
  Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04
  via ubuntu-kernel-accessories

  Package: ubuntu-kernel-accessories
  Affects: Ubuntu Server 24.04 LTS (Noble)
  Severity: Medium, perhaps High.
  Type: Security / Default Install Policy

  Description:
  -----------

  When auditing my system, I came across "bpfcc-tools", without
  recalling I ever installed it. (turns out I did not).

  A default Ubuntu Server 24.04 installation silently installed `bpfcc-
  tools` and `bpftrace` via the following dependency chain:

  ubuntu-standard
      -> ubuntu-kernel-accessories (Recommends)
          -> bpfcc-tools
          -> bpftrace

  Since apt honors Recommends by default, these packages are installed
  on a default Ubuntu Server deployment without any explicit user action
  or notification. This is worrisome.

  Security Impact:
  ---------------

  `bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
  level eBPF-based surveillance capabilities including:

  - `bashreadline-bpfcc` - captures all bash input system-wide including passwords typed at prompts
  - `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
  - `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root sessions
  - `opensnoop-bpfcc` - traces every file open call system-wide
  - `execsnoop-bpfcc` - traces every process execution system-wide

  If an attacker gains any foothold on the system, these tools are
  immediately available without needing to install anything, transfer
  any files, or trip any integrity checks. The tools are already
  present, already trusted, and already have kernel-level access by
  design.

  "Living off the land" attacks:
  -----------------------------

  These tools make sniffing TLS connections, access bash shells,
  sockets, prompts, and more, accessible by default. (including to
  insiders with access to the same server)

  Tools that are frequently abused in post-exploitation:

  - sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS sniffer that can intercept encrypted traffic in plaintext from within the host. It should almost never be on a production server.
  - ttysnoop-bpfcc can attach to TTY sessions and record everything typed by other users, including root. This is a surveillance/credential-harvesting tool.
  - sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can expose sensitive IPC data.
  - bashreadline-bpfcc and bashreadline.bt hook into readline and capture everything typed in bash shells system-wide, including passwords typed at prompts.
  - opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful for discovering secret file paths.
  - execsnoop.bt traces every process execution system-wide. Fine for debugging, dangerous if an attacker uses it to watch for privileged operations.

  The entire bpfcc / bpftrace suite is a risk surface.

  Insider Threat Concern:
  ----------------------

  Because these tools are installed by default and have legitimate
  surveillance-like behavior by design, any subtle malicious
  modification to the package would be extremely difficult to detect.
  The delta between legitimate and malicious behavior could be as small
  as an additional network exfiltration call, which would blend into the
  tool's normal operation profile.

  Why this is might be a valid concern:
  --------------------------------------
  It slowly introduces things that are risky, then let everyone warm up to it and then have it by default in Ubuntu. The XZ attacker's playbook applied here:

  The XZ backdoor author spent two years:

  - Making legitimate contributions
  - Building trust with maintainers
  - Slowly gaining commit access
  - Finally inserting the backdoor in a compressed binary blob that was hard to review

  We never know what state-actors are up to, and if they are infiltrated
  and warming people up to accept snooping tools in their Ubuntu by
  default. Perhaps I am wrong, but what if I am not?

  Verification:
  -------------
  apt-cache policy bpfcc-tools
  apt rdepends bpfcc-tools
  apt depends ubuntu-kernel-accessories

  Steps to reproduce:
  -------------------
  1. Install Ubuntu Server 24.04 LTS with default options
  2. Run: dpkg -l | grep bpfcc
  3. Observe bpfcc-tools installed without explicit user request

  Expected behavior:
  -----------------

  bpfcc-tools and bpftrace should not be installed by default on
  production servers. They should be available as explicit opt-in
  packages for administrators who specifically need kernel-level
  observability tooling.

  Suggested fix:
  --------------
  Remove bpfcc-tools and bpftrace from the Recommends list in `ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools meta-package that administrators can explicitly install when needed.

  Workaround:
  -----------

  apt remove bpfcc-tools bpftrace
  apt remove ubuntu-kernel-accessories
  apt-mark hold bpfcc-tools bpftrace
  apt remove ubuntu-standard

  Reporter: flaneurette
  Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic

  -

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2142520/+subscriptions