Public bug reported:
Bug Report: bpfcc-tools installed by default on Ubuntu Server 24.04 via
ubuntu-kernel-accessories
Package: ubuntu-kernel-accessories
Affects: Ubuntu Server 24.04 LTS (Noble)
Severity: Medium, perhaps High.
Type: Security / Default Install Policy
Description:
-----------
When auditing my system, I came across "bpfcc-tools", without recalling
I ever installed it. (turns out I did not).
A default Ubuntu Server 24.04 installation silently installed `bpfcc-
tools` and `bpftrace` via the following dependency chain:
ubuntu-standard
-> ubuntu-kernel-accessories (Recommends)
-> bpfcc-tools
-> bpftrace
Since apt honors Recommends by default, these packages are installed on
a default Ubuntu Server deployment without any explicit user action or
notification. This is worrisome.
Security Impact:
---------------
`bpfcc-tools` is not a passive debugging toolkit. It provides kernel-
level eBPF-based surveillance capabilities including:
- `bashreadline-bpfcc` - captures all bash input system-wide including
passwords typed at prompts
- `sslsniff-bpfcc` - intercepts decrypted TLS traffic in memory
- `ttysnoop-bpfcc` - records all keystrokes in any TTY session including root
sessions
- `opensnoop-bpfcc` - traces every file open call system-wide
- `execsnoop-bpfcc` - traces every process execution system-wide
If an attacker gains any foothold on the system, these tools are
immediately available without needing to install anything, transfer any
files, or trip any integrity checks. The tools are already present,
already trusted, and already have kernel-level access by design.
"Living off the land" attacks:
-----------------------------
These tools make sniffing TLS connections, access bash shells, sockets,
prompts, and more, accessible by default. (including to insiders with
access to the same server)
Tools that are frequently abused in post-exploitation:
- sslsniff-bpfcc is particularly concerning. This is an eBPF-based SSL/TLS
sniffer that can intercept encrypted traffic in plaintext from within the host.
It should almost never be on a production server.
- ttysnoop-bpfcc can attach to TTY sessions and record everything typed by
other users, including root. This is a surveillance/credential-harvesting tool.
- sofdsnoop-bpfcc sniffs file descriptors passed over Unix sockets, which can
expose sensitive IPC data.
- bashreadline-bpfcc and bashreadline.bt hook into readline and capture
everything typed in bash shells system-wide, including passwords typed at
prompts.
- opensnoop-bpfcc / opensnoop.bt trace every file open call system-wide, useful
for discovering secret file paths.
- execsnoop.bt traces every process execution system-wide. Fine for debugging,
dangerous if an attacker uses it to watch for privileged operations.
The entire bpfcc / bpftrace suite is a risk surface.
Insider Threat Concern:
----------------------
Because these tools are installed by default and have legitimate
surveillance-like behavior by design, any subtle malicious modification
to the package would be extremely difficult to detect. The delta between
legitimate and malicious behavior could be as small as an additional
network exfiltration call, which would blend into the tool's normal
operation profile.
Why this is might be a valid concern:
--------------------------------------
It slowly introduces things that are risky, then let everyone warm up to it and
then have it by default in Ubuntu. The XZ attacker's playbook applied here:
The XZ backdoor author spent two years:
- Making legitimate contributions
- Building trust with maintainers
- Slowly gaining commit access
- Finally inserting the backdoor in a compressed binary blob that was hard to
review
We never know what state-actors are up to, and if they are infiltrated
and warming people up to accept snooping tools in their Ubuntu by
default. Perhaps I am wrong, but what if I am not?
Verification:
-------------
apt-cache policy bpfcc-tools
apt rdepends bpfcc-tools
apt depends ubuntu-kernel-accessories
Steps to reproduce:
-------------------
1. Install Ubuntu Server 24.04 LTS with default options
2. Run: dpkg -l | grep bpfcc
3. Observe bpfcc-tools installed without explicit user request
Expected behavior:
-----------------
bpfcc-tools and bpftrace should not be installed by default on
production servers. They should be available as explicit opt-in packages
for administrators who specifically need kernel-level observability
tooling.
Suggested fix:
--------------
Remove bpfcc-tools and bpftrace from the Recommends list in
`ubuntu-kernel-accessories`, or create a separate ubuntu-kernel-debug-tools
meta-package that administrators can explicitly install when needed.
Workaround:
-----------
apt remove bpfcc-tools bpftrace
apt remove ubuntu-kernel-accessories
apt-mark hold bpfcc-tools bpftrace
apt remove ubuntu-standard
Reporter: flaneurette
Tested on: Ubuntu 24.04 LTS Noble, kernel 6.8.0-101-generic
-
** Affects: ubuntu-meta (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142520
Title:
bpfcc-tools installed by default on Ubuntu Server 24.04 via ubuntu-
kernel-accessories
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2142520/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
