nigelj: Based on networkn's quote and the Synology changelog, looks like the issue that was fixed back in Feb was related to the following two CVEs:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955 (CVSS Base Score 10)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987 (CVSS Base Score 7.5)
6955 looks to be the nasty one:Overview
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
So: People upgrade your NAS!
There has been people on the latest firmware at the time this was released and got pwned too. The exploit has been around for a while however Synology have not gotten to patching it up until the day a few NAS's were cracked.