[Bug 2142520] Re: bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-kernel-accessories
Alexandra
2142520 at bugs.launchpad.net
Mon Feb 23 23:40:34 UTC 2026
** Description changed:
Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04 via
ubuntu-kernel-accessories
Package: ubuntu-kernel-accessories
Affects: Ubuntu Server 24.04 LTS (Noble)
Severity: Medium, perhaps High.
Type: Security / Default Install Policy
Description:
-----------
When auditing my system, I came across "bpfcc-tools", without recalling
I ever installed it. (turns out I did not).
A default Ubuntu Server 24.04 installation silently installed `bpfcc-
tools` and `bpftrace` via the following dependency chain:
ubuntu-standard
-> ubuntu-kernel-accessories (Recommends)
-> bpfcc-tools
-> bpftrace
Since apt honors Recommends by default, these packages are installed on
a default Ubuntu Server deployment without any explicit user action or
notification. This is worrisome.
Security Impact:
---------------
`bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
level eBPF-based surveillance capabilities including:
- `bashreadline-bpfcc` - captures all bash input system-wide including passwords typed at prompts
- `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
- `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root sessions
- `opensnoop-bpfcc` - traces every file open call system-wide
- `execsnoop-bpfcc` - traces every process execution system-wide
If an attacker gains any foothold on the system, these tools are
immediately available without needing to install anything, transfer any
files, or trip any integrity checks. The tools are already present,
already trusted, and already have kernel-level access by design.
"Living off the land" attacks:
-----------------------------
These tools make sniffing TLS connections, access bash shells, sockets,
prompts, and more, accessible by default. (including to insiders with
access to the same server)
Tools that are frequently abused in post-exploitation:
- sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS sniffer that can intercept encrypted traffic in plaintext from within the host. It should almost never be on a production server.
- ttysnoop-bpfcc can attach to TTY sessions and record everything typed by other users, including root. This is a surveillance/credential-harvesting tool.
- sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can expose sensitive IPC data.
- bashreadline-bpfcc and bashreadline.bt hook into readline and capture everything typed in bash shells system-wide, including passwords typed at prompts.
- opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful for discovering secret file paths.
- execsnoop.bt traces every process execution system-wide. Fine for debugging, dangerous if an attacker uses it to watch for privileged operations.
The entire bpfcc / bpftrace suite is a risk surface.
Insider Threat Concern:
----------------------
Because these tools are installed by default and have legitimate
surveillance-like behavior by design, any subtle malicious modification
to the package would be extremely difficult to detect. The delta between
legitimate and malicious behavior could be as small as an additional
network exfiltration call, which would blend into the tool's normal
operation profile.
Why this is might be a valid concern:
--------------------------------------
It slowly introduces things that are risky, then let everyone warm up to it and then have it by default in Ubuntu. The XZ attacker's playbook applied here:
The XZ backdoor author spent two years:
- Making legitimate contributions
- Building trust with maintainers
- Slowly gaining commit access
- Finally inserting the backdoor in a compressed binary blob that was hard to review
We never know what state-actors are up to, and if they are infiltrated
and warming people up to accept snooping tools in their Ubuntu by
default. Perhaps I am wrong, but what if I am not?
Verification:
-------------
apt-cache policy bpfcc-tools
apt rdepends bpfcc-tools
apt depends ubuntu-kernel-accessories
Steps to reproduce:
-------------------
1. Install Ubuntu Server 24.04 LTS with default options
2. Run: dpkg -l | grep bpfcc
3. Observe bpfcc-tools installed without explicit user request
Expected behavior:
-----------------
bpfcc-tools and bpftrace should not be installed by default on
production servers. They should be available as explicit opt-in packages
for administrators who specifically need kernel-level observability
tooling.
Suggested fix:
--------------
Remove bpfcc-tools and bpftrace from the Recommends list in `ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools meta-package that administrators can explicitly install when needed.
Workaround:
-----------
apt remove bpfcc-tools bpftrace
+ apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-kernel-accessories
- apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-standard
-
- Check:
- ------
-
+ apt autoremove
+
+ Confirm:
+ -------
+ dpkg -l | grep bpfcc
+ apt-mark showhold
+
+ Also check:
+ ----------
+
+ # Check current value
sysctl kernel.unprivileged_bpf_disabled
- Set to: kernel.unprivileged_bpf_disabled = 1
+ # Verify it's persistent
+ grep unprivileged_bpf /etc/sysctl.conf /etc/sysctl.d/*.conf 2>/dev/null
+
+ # If not found, add it
+ echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
+ sysctl -p
To prevent www-data PHP RCE, which could potentially invoke BPF
programs.
Additional scans to perform (just to be sure PHP RCE cannot occur easily)
-------------------------------------------------------------------------
# World-writable files across server:
find /var/www -perm -o+w 2>/dev/null -ls
# SUID files across server:
find /var/www -perm /4000 2>/dev/null -ls
# Root owned files in web director(ies) across server:
find /var/www -user root 2>/dev/null -ls
If so, change it asap:
# Example:
chown -R www-data:www-data /var/www
--
Reporter: flaneurette
Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic
-
P.S. Things to consider:
------------------------
The cost-benefit analysis is completely lopsided:
1. Benefits of default inclusion:
- Convenient for the ~0.1% of programmers who do eBPF development
- Saves them one apt install bpfcc-tools command.
Why? this seems a valid question to consider.
2. Costs of default inclusion:
- Kernel-level surveillance toolkit on every default Ubuntu server
- TLS bypass capability pre-positioned system-wide (a secret agencies dream come true?)
- Complete LotL attack toolkit available to any attacker with foothold
- Millions of admins unaware it exists in production (banks, hospitals, governments)
- Impossible to detect if abused
- Pre-XZ threat model used to justify post-XZ risk.
"Better user experience" and "convenience" are the most effective social
engineering vectors in technology policy precisely because they're hard
to argue against without sounding paranoid or obstructionist. The
pattern is well documented in intelligence literature: It's called norm
establishment or "Overton Window manipulation." The goal is to shift
what's considered acceptable gradually:
- Start with "it's useful for debugging"
- Get it accepted as opt-in
- Move it to Recommends
- Eventually it becomes default
- Anyone questioning it is "anti-progress" or "making things harder for sysadmins"
Each step seems reasonable in isolation. The destination only becomes
visible when you zoom out.
"Better user experience" is particularly effective because:
- It's impossible to argue against without seeming difficult
- It appeals to the majority who prioritize convenience
- It reframes surveillance tools as helpful tools
- It shifts the burden of proof onto those raising concerns
- Removing it makes YOU look like the problem.
The convenience argument for including it by default is extremely weak
on servers specifically.
Hope this helps.
/flaneurette
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/2142520
Title:
bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-
kernel-accessories
Status in ubuntu-meta package in Ubuntu:
New
Bug description:
Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04
via ubuntu-kernel-accessories
Package: ubuntu-kernel-accessories
Affects: Ubuntu Server 24.04 LTS (Noble)
Severity: Medium, perhaps High.
Type: Security / Default Install Policy
Description:
-----------
When auditing my system, I came across "bpfcc-tools", without
recalling I ever installed it. (turns out I did not).
A default Ubuntu Server 24.04 installation silently installed `bpfcc-
tools` and `bpftrace` via the following dependency chain:
ubuntu-standard
-> ubuntu-kernel-accessories (Recommends)
-> bpfcc-tools
-> bpftrace
Since apt honors Recommends by default, these packages are installed
on a default Ubuntu Server deployment without any explicit user action
or notification. This is worrisome.
Security Impact:
---------------
`bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
level eBPF-based surveillance capabilities including:
- `bashreadline-bpfcc` - captures all bash input system-wide including passwords typed at prompts
- `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
- `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root sessions
- `opensnoop-bpfcc` - traces every file open call system-wide
- `execsnoop-bpfcc` - traces every process execution system-wide
If an attacker gains any foothold on the system, these tools are
immediately available without needing to install anything, transfer
any files, or trip any integrity checks. The tools are already
present, already trusted, and already have kernel-level access by
design.
"Living off the land" attacks:
-----------------------------
These tools make sniffing TLS connections, access bash shells,
sockets, prompts, and more, accessible by default. (including to
insiders with access to the same server)
Tools that are frequently abused in post-exploitation:
- sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS sniffer that can intercept encrypted traffic in plaintext from within the host. It should almost never be on a production server.
- ttysnoop-bpfcc can attach to TTY sessions and record everything typed by other users, including root. This is a surveillance/credential-harvesting tool.
- sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can expose sensitive IPC data.
- bashreadline-bpfcc and bashreadline.bt hook into readline and capture everything typed in bash shells system-wide, including passwords typed at prompts.
- opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful for discovering secret file paths.
- execsnoop.bt traces every process execution system-wide. Fine for debugging, dangerous if an attacker uses it to watch for privileged operations.
The entire bpfcc / bpftrace suite is a risk surface.
Insider Threat Concern:
----------------------
Because these tools are installed by default and have legitimate
surveillance-like behavior by design, any subtle malicious
modification to the package would be extremely difficult to detect.
The delta between legitimate and malicious behavior could be as small
as an additional network exfiltration call, which would blend into the
tool's normal operation profile.
Why this is might be a valid concern:
--------------------------------------
It slowly introduces things that are risky, then let everyone warm up to it and then have it by default in Ubuntu. The XZ attacker's playbook applied here:
The XZ backdoor author spent two years:
- Making legitimate contributions
- Building trust with maintainers
- Slowly gaining commit access
- Finally inserting the backdoor in a compressed binary blob that was hard to review
We never know what state-actors are up to, and if they are infiltrated
and warming people up to accept snooping tools in their Ubuntu by
default. Perhaps I am wrong, but what if I am not?
Verification:
-------------
apt-cache policy bpfcc-tools
apt rdepends bpfcc-tools
apt depends ubuntu-kernel-accessories
Steps to reproduce:
-------------------
1. Install Ubuntu Server 24.04 LTS with default options
2. Run: dpkg -l | grep bpfcc
3. Observe bpfcc-tools installed without explicit user request
Expected behavior:
-----------------
bpfcc-tools and bpftrace should not be installed by default on
production servers. They should be available as explicit opt-in
packages for administrators who specifically need kernel-level
observability tooling.
Suggested fix:
--------------
Remove bpfcc-tools and bpftrace from the Recommends list in `ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools meta-package that administrators can explicitly install when needed.
Workaround:
-----------
apt remove bpfcc-tools bpftrace
apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-kernel-accessories
apt remove ubuntu-standard
apt autoremove
Confirm:
-------
dpkg -l | grep bpfcc
apt-mark showhold
Also check:
----------
# Check current value (Best to have: 2, worst: 0.)
sysctl kernel.unprivileged_bpf_disabled
# Verify it's persistent
grep unprivileged_bpf /etc/sysctl.conf /etc/sysctl.d/*.conf 2>/dev/null
# If not found, add it
echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf
sysctl -p
To prevent www-data PHP RCE, which could potentially invoke BPF
programs.
Additional scans to perform (just to be sure PHP RCE cannot occur easily)
-------------------------------------------------------------------------
# World-writable files across server:
find /var/www -perm -o+w 2>/dev/null -ls
# SUID files across server:
find /var/www -perm /4000 2>/dev/null -ls
# Root owned files in web director(ies) across server:
find /var/www -user root 2>/dev/null -ls
If so, change it asap:
# Example:
chown -R www-data:www-data /var/www
--
Reporter: flaneurette
Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic
-
P.S. Things to consider:
------------------------
The cost-benefit analysis is completely lopsided:
1. Benefits of default inclusion:
- Convenient for the ~0.1% of programmers who do eBPF development
- Saves them one apt install bpfcc-tools command.
Why? this seems a valid question to consider.
2. Costs of default inclusion:
- Kernel-level surveillance toolkit on every default Ubuntu server
- TLS bypass capability pre-positioned system-wide (a secret agencies dream come true?)
- Complete LotL attack toolkit available to any attacker with foothold
- Millions of admins unaware it exists in production (banks, hospitals, governments)
- Impossible to detect if abused
- Pre-XZ threat model used to justify post-XZ risk.
"Better user experience" and "convenience" are the most effective
social engineering vectors in technology policy precisely because
they're hard to argue against without sounding paranoid or
obstructionist. The pattern is well documented in intelligence
literature: It's called norm establishment or "Overton Window
manipulation." The goal is to shift what's considered acceptable
gradually:
- Start with "it's useful for debugging"
- Get it accepted as opt-in
- Move it to Recommends
- Eventually it becomes default
- Anyone questioning it is "anti-progress" or "making things harder for sysadmins"
Each step seems reasonable in isolation. The destination only becomes
visible when you zoom out.
"Better user experience" is particularly effective because:
- It's impossible to argue against without seeming difficult
- It appeals to the majority who prioritize convenience
- It reframes surveillance tools as helpful tools
- It shifts the burden of proof onto those raising concerns
- Removing it makes YOU look like the problem.
The convenience argument for including it by default is extremely weak
on servers specifically.
Hope this helps.
/flaneurette
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2142520/+subscriptions
More information about the foundations-bugs
mailing list