CVE-2023-36621 – This vulnerability in the Boomerang Parental Co... (How to Fix)

Q: What is the severity of CVE-2023-36621?

CVE-2023-36621 has a CVSS score of 9.1 (CRITICAL). This vulnerability in the Boomerang Parental Control Android app allows children to bypass parental restrictions by entering Android's Safe Mode, where they can temporarily disable all app controls or uninstall the app entirely without parental notification. This affects parents relying on the app for monitoring and restricting their children's device usage.

📋 TL;DR

This vulnerability in the Boomerang Parental Control Android app allows children to bypass parental restrictions by entering Android's Safe Mode, where they can temporarily disable all app controls or uninstall the app entirely without parental notification. This affects parents relying on the app for monitoring and restricting their children's device usage.

💻 Affected Systems

Products:

Boomerang Parental Control

Versions: Through version 13.83

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: All installations up to version 13.83 are vulnerable by default. The vulnerability exploits Android's built-in Safe Mode feature which cannot be disabled by apps.

📦 What is this software?

Boomerang by Nationaledtech

View all CVEs affecting Boomerang →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Children completely bypass all parental controls, access unrestricted content, uninstall monitoring software, and parents remain unaware of the security breach.

🟠

Likely Case

Children temporarily disable restrictions during specific time periods to access blocked content or apps, then re-enable normal mode, leaving parents unaware of the bypass.

🟢

If Mitigated

Parents implement additional monitoring layers or physical oversight to detect when children attempt to use Safe Mode, reducing the window of unrestricted access.

🌐 Internet-Facing: LOW - This is a local device vulnerability requiring physical access to the child's Android device, not exploitable over networks.

🏢 Internal Only: HIGH - The vulnerability exists entirely within the child's controlled device environment where they have physical access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires physical access to the child's device and knowledge of Android's Safe Mode activation (typically holding power button during boot). The technique is documented in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 13.83

Vendor Advisory: https://useboomerang.com/

Restart Required: Yes

Instructions:

1. Open Google Play Store on child's device. 2. Search for Boomerang Parental Control. 3. Check for available updates. 4. Install latest version (above 13.83). 5. Restart the device after installation.

🔧 Temporary Workarounds

Disable Safe Mode Access

android

Configure device settings to prevent entering Safe Mode through parental controls or device management

Enhanced Physical Monitoring

all

Implement regular physical checks of device status and app presence

🧯 If You Can't Patch

Implement regular physical device inspections to verify app is installed and functioning
Use additional monitoring solutions alongside Boomerang to create defense-in-depth

🔍 How to Verify

Check if Vulnerable:

Check app version in Google Play Store or app settings. If version is 13.83 or lower, device is vulnerable.

Check Version:

Settings > Apps > Boomerang Parental Control > App info

Verify Fix Applied:

Verify app version is above 13.83 in app settings, then test Safe Mode bypass attempt to confirm it no longer works.

📡 Detection & Monitoring

Log Indicators:

App uninstallation events
Safe Mode boot events in system logs
Parental control policy violation alerts

Network Indicators:

Lack of regular app check-in communications if uninstalled

SIEM Query:

EventID: (app_uninstall OR safe_mode_boot) AND app_name:"Boomerang Parental Control"

📊 Metadata

CVE ID: CVE-2023-36621

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-862

Published: November 3, 2023

Last Updated: November 21, 2024

🔗 References

https://sec-consult.com/blog/detail/the-hidden-costs-of-parental-control-apps/ Third Party Advisory
https://seclists.org/fulldisclosure/2023/Jul/12 Mailing List,Third Party Advisory
https://useboomerang.com/ Product
https://sec-consult.com/blog/detail/the-hidden-costs-of-parental-control-apps/ Third Party Advisory
https://seclists.org/fulldisclosure/2023/Jul/12 Mailing List,Third Party Advisory
https://useboomerang.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36621, you might also want to check these: