hi pekka,
since the attack, esp. against CGI, is possible through (custom) headers/cookies etc
you'd need some waf-functionalities (afaik)
naxsi, an nginx-based waf, has a signature for this since wednesday
MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393 ;
http://blog.dorvakt.org/2014/09/ruleset-update-possible-remote-code.html