Disclaimer: I do not want to undermine Drobo’s official instance on the matter, but I believe some clarification is needed. Especially if you use some of the DroboApps from DroboPorts.
DroboShare: I do not know whether Bash is included in the firmware or not. Since it is a very old device, with a firmware that predates the DroboFS, I suspect that it does not contain Bash in it’s firmware.
DroboFS: It does not contain Bash in it’s firmware. If you installed the Bash DroboApp from DroboPorts, please do update as soon as possible from here: https://github.com/droboports/bash/releases
Drobo5N: It does contain Bash (firmware version 3.1.0 [8.30.62261]). It is “disabled” (see below for an explanation), but the version that is installed (4.1.9) is vulnerable.
Here is more information about the version that comes with the 5N:
Version: GNU bash, version 4.1.9(2)-release (arm-unknown-linux-gnu)
Size: 699044 bytes
B800fs: I do not know whether Bash is included in the firmware or not. I have heard reports that it uses a firmware similar to the DroboFS, so it probably does not contain Bash.
B1200i: I do not know whether Bash is included in the firmware or not.
TL;DR: As far as I can tell, the only device potentially at risk is the 5N.
The risk is mitigated by the fact that this version does not work in its original setup. In fact, if you try to run /bin/bash on a Drobo5N you get this error message back:
/bin/bash: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory
This means that bash is linked against the ncurses library, which is not part of the firmware. This is easily bypassed by prepending LD_LIBRARY_PATH to the bash call, like this:
There are many DroboApps that include libncurses.so.5. For example, python2 ships with it.
The following commands will confirm the vulnerabilities (see https://shellshocker.net/ for more information):
$ alias bash="LD_LIBRARY_PATH=/mnt/DroboFS/Shares/DroboApps/python2/lib /bin/bash"
$ bash --version
GNU bash, version 4.1.9(2)-release (arm-unknown-linux-gnu)
$ wget https://shellshocker.net/shellshock_test.sh --no-check-certificate
$ bash https://shellshocker.net/shellshock_test.sh
CVE-2014-6271 (original shellshock): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
Keep in mind that the alias is just a handy shortcut. The exploits work just as well if you replace “bash” with “LD_LIBRARY_PATH=/mnt/DroboFS/Shares/DroboApps/python2/lib /bin/bash” in the original examples.
As a Drobo5N, what should I do to ensure that there are no problems?
The following is my opinion. It applies to version 3.1.0 [8.30.62261] of the Drobo5N firmware. Take it with a grain of salt.
Do you have apps installed (from DroboPorts or otherwise) that ship with libncurses (e.g., apache2, python2, php5)? If so, either delete /bin/bash or replace it immediately using the latest version from https://github.com/droboports/bash/releases.
For the long term DRI should remove bash from the firmware. It is not used by anything, since it ships in a broken state, and as we can see it leaves a window open for hackers.