CVE-2023-36621: 
NixOS vulnerability analysis and mitigation

The Boomerang Parental Control application through version 13.83 for Android contains a critical security vulnerability that allows children to bypass parental controls. The vulnerability (CVE-2023-36621) was discovered in September 2022 and publicly disclosed in July 2023. The issue affects all versions of the Boomerang Parental Control app up to version 13.83, impacting Android devices that don't have Samsung KNOX capabilities (SEC Advisory, NVD).

The vulnerability stems from the application's inability to prevent bypass through Android's Safe Mode feature. When a child's device is booted into Safe Mode (accessed by long-pressing the 'Power off' or 'Reboot' button), all third-party applications including Boomerang are disabled. This allows users to revoke the app's permissions or completely uninstall it without detection. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD, SEC Advisory).

The vulnerability allows children to completely bypass parental controls by temporarily disabling or permanently removing the application without parents being notified. This effectively nullifies the core functionality of the parental control system, allowing unrestricted device usage and access to potentially inappropriate content that parents intended to block (SEC Advisory, SEC Blog).

For devices that support Samsung KNOX, administrators can disable the ability to boot into Safe Mode, which prevents this exploit. For other devices, there is no complete mitigation available as of the latest reported version. The vendor has not provided a timeline for when this vulnerability will be patched. The recommended workaround is to use Samsung KNOX-capable devices or consider alternative parental control solutions (SEC Advisory, SEC Blog).

The vulnerability was discovered as part of a broader security analysis of parental control apps by SEC Consult Vulnerability Lab. The research highlighted significant security concerns in multiple parental control applications, leading to discussions about the reliability and security of such solutions. The vendor's response to the vulnerability disclosure was notably slow, with limited communication about plans for fixing the identified issues (SEC Blog).