I guess I should have mentioned that I used to work for Ubiquiti… Yes the majority of their software development was done in Lithuania, not one person. I cannot say if that is true today, but I cannot see a reason that they would have migrated it to the US when the team over there was a great bunch. As is the MT crowd. You are the one that doesn’t trust MT but has no problem trusting UBNT. But one is a private company and one is a public company. As such the images they project usually are vastly different. But this isn’t about the bash exploit anymore but about you. Nobody else is chiming in and I in no way represent either of the above mention companies anymore. IF you find a way to exploit the bash bug on any of your soon to be none MT gear, post it and prove all of the above posts wrong… Otherwise… have a good day… 
You’ve created such a total straw-man argument, it’s farcical.
I’d be glad to trust Mikrotik, provided they acted in a trust-worthy manner. As I’ve said - I’d like something better than the terse explanation that
As RouterOS does NOT use bash, no patching is required from our side.
So, does that mean:
The portions of RouterOS you work with don’t have BASH, so everything is good. We know, for example, that you don’t need access to bash directly to exploit the vulnerability. So, some clarification here would be really quite nice.
Does this mean that the given statement applies to every version of ROS, or just version 6?
The statement given could easily have many different meanings. [see how creatively the NSA “denies” all sorts of things for a lesson in misdirection] Asking for clarification isn’t “not trusting” - but simply asking for more data so I can evaluate it.
Further, the “mistrust” you give comes from your post, not mine. [Yet, I’m the one who is unwilling to trust MT?]
I’ll simply restate what I’ve asked for from the beginning, and what I DO get from UBNT [Without a lot of teeth pulling either.]; A comprehensive answer from someone who is authorized to represent the company.
Does BASH exist in any form in any version of ROS? If yes, then please detail what versions and how it’s involved so users can determine their exposure. [As this thread has gone on now, without any additional details from MT, for nearly two weeks now, I’m not holding my breath.]
Before just flaming around about an clear answer which states NO, I would remind you of something stated on the first page of this forum:
Notice: For support from Mikrotik staff, write to support@mikrotik.com - Mikrotik does not generally offer support on the forum, this is a user forum.
Have you sent a mail to support to ask this?
PS: don’t forget to ask if any older version uses apache2 as its web server and mysql to manage route lists, or if there is a hidden open office somewhere inside because there is an editor there…
Why the heck would someone put a 900k shell executable in there, if a 50k one would do the needed job?
Yes, BASH does not exist in RouterOS in any form, visible or otherwise. RouterOS is in no way affected with this thing.
Bash != ash
I have worked with ash and busybox. In fact, I just tested the shellshock vulnerability today per https://shellshocker.net/ which is a site that provides info about this issue. It also provides info about how to test for the vulnerability. Ash didn’t test positive for any vulnerability associated with shellshock. This is purely a bash bug and bash is not ash!