Zyxel security advisory for XSS vulnerability of GS1900 series switches

Zyxel_Carter · July 2021

CVE: CVE-2021-35030

Summary

Zyxel has released patches addressing a cross-site scripting (XSS) vulnerability in the GS1900 series of switches. Users are advised to install the applicable firmware updates for optimal protection.

What is the vulnerability?

A XSS vulnerability was identified in Zyxel’s GS1900 series of switches, such that an attack could be triggered when a user accesses certain GUI pages with the malicious LLDP packets processed by the switch. However, this can only occur if the attacker is directly connected to the switch, because the LLDP protocol only allows LLDP packets to be sent to and received from devices that are directly connected to each other; thus, the risk is relatively low.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable switches and released firmware patches to address the issue, as shown in the table below.

Affected model	Patch availability
GS1900-8	V2.70(AAHH.3)C0
GS1900-8HP	V2.70(AAHI.3)C0
GS1900-10HP	V2.70(AAZI.3)C0
GS1900-16	V2.70(AAHJ.3)C0
GS1900-24E	V2.70(AAHK.3)C0
GS1900-24EP	V2.70(ABTO.3)C0
GS1900-24	V2.70(AAHL.3)C0
GS1900-24HP	V2.70(AAHM.3)C0
GS1900-24HPv2	V2.70(ABTP.3)C0
GS1900-48	V2.70(AAHN.3)C0
GS1900-48HP	V2.70(AAHO.3)C0
GS1900-48HPv2	V2.70(ABTQ.3)C0

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment

Thanks to Jasper Lievisse Adriaanse for reporting the issue to us.

Revision history

2021-7-27: Initial release

2021-7-30: Updated the hotfix links

2022-6-13: Update the patch availability in the table. Users are requested to contact Zyxel’s local support team for the standard firmware in the interim.

2022-9-1: Update the patch availability