The question is, does it call bash in its dhclient-script? I took a look through the FreeBSD source tree, and their version of dhclient-script uses /bin/sh. As long as /bin/sh is not bash (and that script doesn't in turn call any other bash scripts) it should be OK.

The best way to find out if you're vulnerable is by testing. It takes just a few minutes to set up dnsmasq to serve up an exploit. Here were my settings:

  interface=eth2
  dhcp-range=10.0.1.100,10.0.10.200,12h
  dhcp-option-force=114,() { :; }; echo "hi"

Of course, replace that 'echo "hi"' with the exploit of your choice. In my case, the output from dhclient would be printed on screen when restarting networking, so 'echo "hi"' was sufficient to verify that it was being executed.

If any bash scripts are called, with the environment variables that are set by dhclient, then that snippet should be run. If bash is not invoked, then that snippet won't ever run.

You can pretty much guarantee that nothing in the core system for FreeBSD calls Bash, because Bash isn't in the core system :)

FreeNAS doesn't use bash as /bin/sh by default or as root shell unless you've set it yourself (which some users do: http://forums.freenas.org/index.php?threads/replacing-standa...)

Yes. In this thread: http://forums.freenas.org/index.php?threads/its-bashs-turn-t... a user speculates that bash is included only for user convenience. I didn't know if repeating this speculation was HN-worthy, so I only reported what I knew for fact.

The following indicates than a patched bash is forthcoming: http://lists.freenas.org/pipermail/freenas-commit/2014-Septe...