Just FYI to other owners:

Synology DSM 5.0-4493 Update 5 here: it uses busybox, so not vulnerable.

    synology> which bash
    synology> which sh
    /bin/sh
    synology> which ash
    /bin/ash
    synology> ls -l /bin/sh
    lrwxrwxrwx    1 root     root             7 Jun  5 11:27 /bin/sh -> busybox
    synology> ls -l /bin/ash
    lrwxrwxrwx    1 root     root             7 Jun  5 11:27 /bin/ash -> busybox

Thank you for checking out DSM! This comment saved me a bunch of time.

Given the rate at which QNAP issues updates I'm not expecting it to be fixed for at least another month, and that will most likely be a beta release. I like my QNAP NAS but I don't think I'd buy another QNAP product. They are just too unresponsive to these sorts of things.

Is it possible to update bash on the QNAP? I know you can install an SVN server using Optware IPKG but would this work with the updated Bash? These QNAPs do way to many things with barely any software updates. Its a disaster waiting to happen.

just ssh'd into my WD mycloud.. yep it's vulnerable

WDMyCloud:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 30 08:38 /bin/sh -> bash

There are a bunch of daemons running on a fully configured My Cloud. I haven't had much success in finding anything yet, but yeah, it has the bug.

  nas:~# bash --version | head -1
  GNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabihf)
  nas:~# uname -a
  Linux nas 3.2.26 #1 SMP Tue Jun 17 15:53:22 PDT 2014 wd-2.2-rel armv7l GNU/Linux
  nas:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test

EDIT: formatting.

And indeed I just received an email from QNAP:

http://qnap.benchmarkmails26.com/c/v?e=53F45E&c=47C09&l=149F...

ReadyNAS (Netgear's NAS) uses dash by default, and bash can be upgraded to "4.2+dfsg-0.1+deb7u3"[1].

[1]: https://security-tracker.debian.org/tracker/CVE-2014-6271

Synology released a security advisory outlining the affected Synology NASs: https://www.synology.com/en-global/support/security/bash_she...